How Does FIDO Works?


The registration process is fairly simple. User requests new registration flow from Relying Party (RP), also called Service Provider (SP). The RP connects with FIDO server (which could be self hosted or hosted by 3rd party Identity Provider (IDP)) to obtain a challenge (think of, a random text) and sends that to the user.
The user generates private/public key pair, stores the private key in the authenticator device and produces a digital signature by signing the challenge. The user then sends the digital signature along with the corresponding public key to RP which is then sent to the FIDO server.
The FIDO server verifies the signature and stores the public key in its database.
FIDO Registration Flow


During authentication, a similar process happens. The user uses an authenticator to sign the challenge (produced during the new session by the FIDO server) and generate the digital signature. The user sends the digital signature as the response to RP which finally reaches the FIDO server.
The FIDO server verifies the signature of the challenge with a stored public key corresponding to user and device and sends a response to RP success or failure.
FIDO Authentication Flow

The answer to our "second" question

I guess now we have the answer to our second question - "How does a verifier get the public key of prover to verify the digital signature?"
The FIDO server stores the public key in its database during the registration process and fetches it at the time of digital signature verification during authentication.
So, what's the issue here?
Last modified 18d ago