W3C | Submissions

Submission Request to W3C: FIDO 2.0 Platform Specifications 1.0

Submitted Materials

We, W3C Members Microsoft, Google, PayPal and NokNok Labs submit to the Consortium the following specification, comprising the following document(s) attached hereto:

  1. FIDO 2.0 Web APIs
  2. FIDO 2.0 Attestations
  3. FIDO 2.0 Signature

which collectively are referred to as "the Submission". We request the Submission be known as the FIDO 2.0 Submission.


FIDO 2.0 builds on the FIDO Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F) protocols and addresses both sets of use cases while emphasizing platform support.

Intellectual Property Statements

The below statements concerning Copyrights, Trade and Service Marks, and Patents, have been made by the following people on behalf of themselves and their affiliated organizations:


Each organization, respectively, hereby grants to the W3C a perpetual, nonexclusive, royalty-free, world-wide right and license under any its copyrights on this contribution, to copy, publish and distribute the contribution under the W3C document licenses.

Additionally, should the Submission be used as a contribution towards a W3C Activity, each organization grants a right and license of the same scope to any derivative works prepared by the W3C and based on, or incorporating all or part of, the contribution. Each organization further agrees that any derivative works of this contribution prepared by the W3C shall be solely owned by the W3C.


Each organization, respectively, agrees to offer licenses according to the W3C Royalty-Free licensing requirements described in section 5 of the 5 February 2004 W3C Patent Policy for any portion of the Submission that is subsequently incorporated in a W3C Recommendation.

Suggested action

The goal of FIDO 2.0 is to define client APis on the web platform enabling relying parties to build simple to use, unphishably secure authentication. The goal is to move the world beyond dependence on phishable authentication methods such as passwords.

Rather than relying on a password or a one time code, the user is authenticated with cryptographic keys which are either created on their client device (such as a computer or a mobile phone) or an external authenticator device (such as a special purpose fob or a mobile phone) which talks to their client device.

The FIDO 2.0 web API defines the inputs and resulting cryptographic messages for the web platform. Underlying browser implementations can then be built to talk to built-in and external authenticator devices to create these cryptographic messages.

The core user experiences supported by the web API include:

Thus, we suggest that the Consortium proceeds with establishing a Working Group which will, using this Submission .create Recommendation-track specifications attaining the goals outline above.


To help with this work we expect, but do not commit, to be able to provide representatives to participate in the working group.


Inquiries from the public or press about this Submission should be directed to: public-web-security@w3.org


This 12th of November, 2015,