What is FIDO?
FIDO (Fast IDentity Online) is an open standard for strong authentication that replaces passwords with cryptographic security keys, enabling secure, phishing-resistant login through local user verification methods like biometrics, PINs, or hardware tokens. FIDO authentication is a secure authentication method that uses public key cryptography instead of shared secrets, allowing users to verify their identity through local actions (like biometrics, PINs, or security keys) — supporting both password-less and second-factor login options.
Supported FIDO Authenticators
Exostar supports the following FIDO authenticators and corresponding security controls, and each type is offered with or without proofing:
- FIDO FIPS Security Keys (Device-bound passkey and FIPS 140-2/3 Validated): FIDO FIPS Security Keys are hardware authenticators that meet the NIST FIPS 140-2 cryptographic module validation requirements. They provide strong hardware-backed security and are approved for use in U.S. federal environments where AAL3 assurance is required. These keys combine phishing resistance, cryptographic protection, and compliance with federal standards.
- FIDO Security Keys (Device-bound passkey and L2 Certified but non-FIPS validated): FIDO Security Keys are hardware-based devices that provide strong cryptographic authentication. They protect against phishing by ensuring only the legitimate site can authenticate you. Users confirm their identity by touching the key or entering a PIN when prompted.
- FIDO Certification L1 (Device-bound passkey and L1 Certified, but non-FIPS validated): FIDO Certification L1 are hardware-based devices that provide strong cryptographic authentication. They protect against phishing by ensuring only the legitimate site can authenticate you. Users confirm their identity by touching the key or entering a PIN when prompted.
- FIDO Synced Passkeys (Platform-bound): FIDO Synced Passkeys are discoverable credentials stored by platform authenticators (e.g., iCloud Keychain, Google Password Manager, or Windows Hello). These credentials are synced across devices using secure cloud infrastructure.
| Product | FIDO FIPS Security Key allowed | FIDO Security Key allowed | FIDO Security Key L1 allowed | Synced Passkey allowed |
|---|---|---|---|---|
| MAG | Yes. Only Required Applications | Yes. Available to all Applications | No | No |
FIDO Resources
Exostar Products Supporting FIDO Authenticators
FIDO Authenticators are supported by Exostar products based on the security assurance level each product and the corresponding assurance level the FIDO Authenticator is capable of delivering.
MAG Product Support for FIDO Authenticators
The following FIDO Authenticators are currently approved for authentication under MAG for all applications:
- FIDO FIPS Security Keys
- FIDO Security Keys
Upon request, only the FIDO FIPS Security can be enforced for certain applications. Please consult with your Exostar Support representative to enable this option.
Other Products Supporting FIDO Authenticators
The lowest assurance level MAG allows for FIDO Authenticators for all MAG customers is listed on the table below:
-
FIDO FIPS Security Keys
-
FIDO Security Keys
-
FIDO Security Keys L1
-
Synced Passkeys with no metadata restrictions as per the FIDO Alliance. That includes the following:
-
Synced Passkeys with Microsoft platform (Fabric)
-
Synced Passkeys with Apple iCloud platform (Fabric)
-
Synced Passkeys with Google Password Manager platform (Fabric)
-