Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

OneWelcome Identity Platform
- Explore Thales Docs

IDAAS core
User journey orchestration
Consent and preference management
Delegated user management
- Getting started
- Roles
- Rules
- User management
- Self service page
- Data
- APIs
- Apps
- Jobs
- Reports
Externalized authorization
Identity broker
Mobile identity
- Mobile identity - Access component
- Mobile identity - Tulip
Mobile SDK
API references
Release notes and FAQ
Integrations

All

All

Authentication

FIDO authentication

IDAAS core
Getting started with the OneWelcome Identity Platform
Manage administrators
Authentication
- FIDO authentication
  - Web integration
    - Web integration
    - User enrollment
    - User authentication
  - Administrative management
    - Admin APIs
    - Authenticator management
    - User management
    - Policy management
  - Authenticator policy
    - Thales FIDO authenticator policy
    - Authenticator policy samples
  - Extensions
    - Thales extensions for FIDO
    - Thales friendly name extension
    - Thales transaction signature extension
    - Thales challenge token extension
- Authentication FAQ
- Password migration
Events
- Public event payload taxonomy
- Export events
Assurance levels
IDAAS core - Access
- Securing resources
- Client authentication methods
- Client application configuration
  - Scope configuration
  - Identity providers
  - Resource gateway configuration
  - Scopes API
  - Scope Verification Service
  - Identity provider API
  - Protected data in single-page apps
- OAuth 2.0 and OpenID Connect
  - OpenID Connect
  - OpenID Connect authentication
  - OpenID Connect scopes and claims
  - User claims and attributes
  - OpenID provider configuration
  - ID token encryption
  - Web clients
    - Resource owner password credentials
    - Uniquely identify guests
    - Migration of web clients with hashed secrets
    - Web clients API
  - Tokens
    - Access tokens
    - ID tokens
    - Refresh tokens
    - Access token API
    - Token introspection API
  - iFrame session monitoring
    - Relying party iFrame
    - End session API
    - Session management APIs
  - OAuth endpoints
  - OAuth configuration
  - Discovery API
  - JSON Web Key Set API
  - User information API
  - OAuth consent API
  - OAuth Token Exchange
- SAML Applications
- Custom authenticators
- General system properties
  - Configure system features
  - Session configuration
  - CORS support
  - Extension engine properties
  - SAML service provider configuration
  - API clients API
  - Responsible disclosure policy
- Access events
  - Audit events
  - Audit log
  - Events API
  - Security events
- Web hooks
  - Web hooks configuration API
- User session API
IDAAS core - Tulip
- Tenants and brands
- Identity store and data model
  - SCIM API
  - SCIM schemas
  - SCIM user management
  - SCIM user attributes
  - SCIM API versions
- Credential store
  - Email address management
  - Password management
  - Password policies
- OAuth 2.0 and OpenID Connect
  - OAuth 2.0 and OpenID Connect setup
  - Device flow
  - OAuth client authentication methods
  - Proof Key for Code Exchange
  - Step-up authentication
  - OAuth 2.0 and OpenID Connect API
  - Dynamic client registration API
  - OAuth OIDC error handling
- Account lockout
- Session management
- Event store
- API rules
- Reports
- Email overview
- Core administration experience
  - Audit logs
- Locales and languages
Customize the user interface

Was this document helpful? Yes No

Feedback Sent!

If you like, you can provide additional feedback.

OneWelcome Identity Platform
IDAAS core
Authentication
FIDO authentication

FIDO authentication

Fast IDentity Online (FIDO) authentication is the OneWelcome Identity Platform authentication service that supports FIDO authentication, enabling passwordless authentication experiences across websites and mobile applications.

FIDO and WebAuthn

FIDO is a set of free and open authentication standards developed by the FIDO Alliance together with the World Wide Web Consortium (W3C). FIDO authentication enables password-only logins to be replaced with secure and fast login experiences across websites and apps.

WebAuthn is the W3C specification describing how applications can use FIDO authentication through a web browser interface, or in a native mobile application.

FIDO authenticators

FIDO authentication implements the FIDO standard to allow a mobile application to enroll as a FIDO authenticator, and authenticate a person using either biometrics or PIN. The protocol is based on a challenge and response signature protocol, where the authenticator signs the challenge with a private key generated in the mobile secure key store. The OneWelcome Identity Platform online services only store the corresponding public key, which is used to verify the authentication signature.

The FIDO authenticator authentication service is FIDO® certified, ensuring conformity to the FIDO2 protocols and interoperability with certified FIDO2 and U2F authenticators.

FIDO certified logo

FIDO authenticators supports several authentication scenarios:

Authentication and signature from a mobile application
Authentication and signature from a web application, without leaving the browser page
Out-of-band mobile authentication and signature from a web application, with push notifications

Concepts

Relying party

A relying party is an entity operating a service that needs to authenticate its users.

Credential or passkey

Passkey is the user-friendly name for a FIDO credential, the two names are interchangeable. Throughout this developer documentation, we mostly use the term credential, which is the term you find in FIDO WebAuthn specifications and the various APIs. In the application user interface, the term passkey is used instead, to make it clearer for the user that passkeys act as a replacement for passwords.

A FIDO credential (or passkey) is a key pair generated for a specific user to authenticate to a specific relying party. The private key is securely controlled by the user, and is used for signing assertions. The public key is shared with the relying party, and is used to verify assertion signatures.

There are several types of passkeys:

Synced passkeys are multi-device credentials that are synchronized between the user devices using a cloud service. This provides a convenient way to ensure availability of the passkey on many devices, even when the device that created it is lost or broken. The availability of the passkey is dependent on the availability of the cloud service.
Device-bound passkeys are bound to a device. Users and relying parties have total control of the passkey, whose availability is only dependent on the device availability.

The FIDO authentication service supports both synchronized and device-bound passkeys.

Authenticator

An authenticator is an entity that can generate FIDO credentials, store private keys securely, and sign assertions on demand with this public key.

There are multiple types of authenticators:

Platform authenticators are implemented by the operating system on which the application is running. Such authenticators typically provide synchronized passkeys, where device synchronization is managed by a cloud service managed by the operating system (such as Apple iCloud). When available on a platform, such authenticators are usable without any purchase or setup.
Hardware authenticators, such as USB or NFC keys, are also referred to as roaming authenticators. They are a dedicated device that users or organizations have to purchase and deliver to the user. These authenticators usually only support device-bound passkeys. Users have to carry the authenticator device in addition to the application device. Each time an authentication is needed, the user has to present the authenticator.
Software authenticators are either for mobile apps, web apps, or both. They have to be installed on the user device, which can be frictionless when provided as a standalone application, but are seamless when embedded into the relying party's mobile application. Depending on the implementation, software authenticators can provide synchronized or device-bound passkeys.

The Thales Protector FIDO SDK provides access to platform authenticators, but also implements its own software authenticators based on the platform biometrics and cryptographic capabilities. The credentials managed by SDK authenticators are device-bound, and offer biometric or PIN user authentication.

Assertion

A data structure signed by an authenticator during user authentication. It is targeted for a specific relying party, and is signed by a user private key. It cannot be reused by another user, nor by another relying party.

Attestation

A signed statement attesting the characteristics of an authenticator, such as the manufacturer, or the way it interacts with the user (for instance with biometrics, PIN, or simple presence).

Additional resources

API reference: Complete API documentation for FIDO authentication, including mobile, web, and admin APIs.
Release notes: Latest updates, new features, and changes in FIDO authentication releases.

On this page

OneWelcome Identity Platform

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Support Contacts
Legal
- End User License Agreement
- Terms of Service

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com