How many FIDO protocols are needed? Analysing the technology, security and compliance

Abstract

To overcome the security vulnerabilities caused by weak passwords, thus bridge the gap between user friendly interfaces and advanced security features, the Fast IDentity Online (FIDO) alliance defined a number of authentication protocols. The existing literature leverages all versions of the FIDO protocols, without indicating the reasons behind the choice of each individual FIDO protocol (i.e., U2F, UAF, FIDO2). Inevitably, the question ”which protocol is more suitable per case” becomes significant. To provide an answer to the previous question, this paper performs a thorough comparative analysis on the different protocol specifications and their technological and market support, to identify whether any protocol has become obsolete. To reach to a conclusion, the proposed approach i) explores the existing literature, ii) analyses the specifications released by the FIDO Alliance, elaborating on the security characteristics, iii) inspects the technical adoption by the industry and iv) investigates the compliance of the FIDO with standards, regulations and other identity verification protocols. Our results indicate that FIDO2 is the most widely adopted solution; however, U2F remains supported by numerous web services as a two-factor authentication (2FA) choice, while UAF continues to be utilized in mobile clients seeking to offer the Transaction Confirmation feature.