Design and Implementation of Fingerprint Authentication Using the FIDO Protocol

With the rapid development of smart phones, mobile payment has become the mainstream payment method, and fingerprint authentication—being a one‑touch verification technique—has been widely adopted; ensuring its security is a critical technical challenge.

Biometric authentication methods such as fingerprint, face, and iris recognition are increasingly mature and are replacing traditional password‑based login, offering higher security and better user experience, but they also raise privacy concerns because biometric data must not be stored centrally.

The FIDO protocol provides an open standard that uses asymmetric cryptography: the private key resides on the user’s mobile device and can only be unlocked by the biometric data, while the public key is stored on the server for verification, thereby eliminating password reliance and ensuring that biometric information never leaves the device.

Basic principle of fingerprint authentication

The overall architecture consists of a server side—comprising a Web Server, a FIDO Server, and a FIDO Metadata Server—and a client side—comprising a Fingerprint SDK, an ASM (Authentication Service Module), and the authenticator hardware. The Web Server receives client requests, forwards them to the FIDO Server for processing, and returns results; the FIDO Server handles logic, stores critical data, and interacts with the Metadata Server for official security checks; the Metadata Server validates authenticator types and certificates.

On the client, the Fingerprint SDK offers a unified API for applications, the ASM acts as a bridge between the SDK and various authenticators, handling data exchange and storage, while the authenticator hardware performs biometric verification and generates cryptographic material (e.g., KeyHandle, KeyID) used in the FIDO flow.

Mobile clients run two execution environments: the Rich Execution Environment (REE) for normal apps and the Trusted Execution Environment (TEE) for secure operations. TEE isolates cryptographic processes, provides secure key management, trusted UI, and other security APIs, ensuring that private keys and biometric verification remain protected from the REE.

In practice, most smartphone manufacturers embed a fingerprint authenticator; developers only need to integrate the Fingerprint SDK and ASM, which communicate with the TEE‑based authenticator TA, bind the fingerprint to a key generated by the KeyMaster, and expose a simple API for application integration.

In conclusion, combining the FIDO protocol, a well‑designed server‑client architecture, and secure execution environments such as TEE enables the creation of a fingerprint authentication product that safeguards user accounts while delivering a seamless user experience.