So lets clarify few things:

— Authenticator — A device or software that runs on some platform that used to verify user and produce assertions.

— User Verification — how authenticator checks the user. That’s where the biometrics bit happens

— Authentication — the process of verifying user authenticator assertion

So here are the few rules of FIDO engagement:

— An authenticator can be used with accounts on multiple websites

— An account can have multiple authenticators

So the flow would work like this:

— You create account and register your mobile authenticator and verify your self with the fingerprint

— You login to the website on the laptop and authenticate your self via push request

— You add your USB security key to your account since you are already logged in

FIDO authrs can have different user verification methods. Some may have fingerprint. Some may have Client PIN. The point is that for passwordless you just need to perform multi-factor authentication and FIDO authenticator (something you have) plus biometrics(something you inherit) or pin(something you know) will satisfy that, thus providing passwordless authentication, since no passwords been sent over the internet.

Written by

FIDO, Identity, Standards

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store