wolfSSL FIDO Compliance
As organizations move away from traditional password-based authentication, FIDO (Fast Identity Online) has emerged as one of the leading standards for strong authentication. wolfSSL is positioned to support this transition with our robust cryptography library, wolfCrypt, which implements many of the core algorithms required for FIDO compliance. This blog outlines how wolfSSL can serve as a foundation for FIDO-compliant authentication solutions.
FIDO and Why It Matters
FIDO (Fast Identity Online) Alliance maintains strict standards for cryptographic implementations in authentication systems with a mission to reduce the reliance of passwords. With wolfCrypt implementing most of the FIDO-approved algorithms, this means wolfSSL can provide developers with a compliant cryptographic foundation for their FIDO authentication solutions for both large, web-connected systems as well as embedded microcontrollers.
Existing FIDO-Approved Algorithms
wolfSSL already implements many of the cryptographic algorithms from FIDO’s allowed cryptography list[1], including:
- SHA-256, SHA-384, SHA-512, SHA3-256, SHA3-384 and SHA3-512
- HMAC capabilities with the allowed hash functions
- HMAC implementation for secure message authentication
- AES-CMAC support for lightweight authentication
- AES-GCM for authenticated encryption
- RSA PSS and PKCS#1 v1.5 signature support
- Ed25519 signatures
The only missing algorithms in wolfSSL are the implementation of ED256, ED256-2, ED512 and ED638.
wolfSSL also meets FIDO’s deterministic random number/bit generator requirements as wolfCrypt is NIST FIPS 140-2/3 compliant which uses NIST SP800-90A HASH_DRBG as well as NIST SP800-90B compliant entropy generation.
Potential Integration with FIDO2 Applications and Libraries
FIDO2 is the latest authentication standard that enables passwordless and strong two-factor authentication through the Web Authentication (WebAuthn) API and Client-to-Authenticator Protocol (CTAP). With there already being FIDO2 applications on the market wolfSSL can easily be implemented directly or automatically with the compatibility layer or engine/provider OpenSSL replacement. For instance Yubico’s libfido2 library which uses OpenSSL could be ported to use wolfCrypt instead.
A wolfSSL employee has also been working on a project that uses 2FA with wolfCrypt on a Raspberry Pi Pico called Fidelio.
FIPS 140-3 and FIDO2
Organizations requiring both FIDO2 and FIPS 140-3 compliance can leverage wolfCrypt’s FIPS 140-3 validated module, which provides CAVP and FIPS validated implementations of essential FIDO algorithms. This dual compliance ensures solutions meet both authentication standards and regulatory requirements.
Looking Forward
Contact us at facts@wolfSSL.com or +1 425 245 8247 for question about comprehensive support for integrating wolfCrypt into your FIDO2 applications, including:
- Technical consultation for implementation
- Documentation and example code
- Integration with hardware security modules
- Optimization for embedded systems
- Custom builds for specific platforms
Resources
[1] “FIDO Authenticator Allowed Cryptography List,” FIDO Alliance, 2023.
Download wolfSSL Now