How it works – Registration
FIDO authentication employs a challenge/response mechanism using digital signatures. A user must first access a specific app or website and complete a registration process before using FIDO. The user submits their biometrics and PIN during this registration.For every successful biometric/PIN match during registration, a public key pair is created. The private key is retained on the client in a cryptographic keystore, and the public key is sent to the server, where it is saved in a keystore under the user’s ID.
How it works – Login
Upon a login attempt, FIDO Server creates a random challenge and sends it to the FIDO Client. The biometrics and PIN are matched locally by the FIDO Authenticator against the biometrics enrolled for that user; they are never transmitted to the server. The user is prompted again to enter his biometrics/PIN. If the match attempt is successful, it unlocks the private key from the FIDO Client keystore. The FIDO Client signs the challenge using the user’s private key and sends it to the FIDO Server. The server verifies the signature using the public key received during registration, and the user is permitted to login.