Figure 4 – FIDO Registration of new keys











































            1.  Initiate registration with Relying Party         a registration response: device model number +
            2.  FIDO Server sends registration challenge and     device attestation signature + user’s public key
               requested registration options                  5.  Validate response and attestation. The device
            3.  Authenticator performs user verification on device   model number (AAGUID) can be used to look up
               to signal the user’s consent to registering with the   metadata about the device, such as the attesta-
               service                                           tion public key, the type of user verification being
            4. Authenticator generates a new key pair for the    performed (e.g. – biometric, PIN), and the securi-
               service and associates the private key with the   ty characteristics of the device (e.g. – how private
               service’s origin. The public key and device model   keys are protected; how biometric templates are
               number are signed over by a device model spe-     protected; third-party security and biometric cer-
               cific (shared across no less than 100,000 devices)   tifications).
               attestation private key. The authenticator sends   6.  The service stores user’s public key for future
                                                                 authentication requests.


















                                             Implementation of Secure Authentication Technologies for Digital Financial Services  17