When a user registers on a legitimate site our.company.net/workspace, the Authenticator gets the ID 7bc4…2b9cdc. Authenticator creates in it’s memory a data set with ID=7bc4…2b9cdc, with the chosen user name and creates a new key pair.

When a user needs to authenticate, the Authenticator gets the site ID=7bc4…2b9cdc and looks for a dataset with the matching ID. If the set is found, the Authenticator uses the username and key to authenticate.

Actually, during Registration, a new key pair is created in the Authenticator, and during Authentication, a random sequence generated by the server is signed using the created private key.

In fact, the Authenticator uses the mathematical operation of the digital signature. The fundamental difference compared to the qualified electronic signature usage is that for each server an unique key pair is randomly generated, the public key is sent only to this server, and the server, so to speak, “certifies” this public key only for itself.

So, a person monitoring internet access cannot link the same client’s login to two different sites. This is how privacy is protected.

Now consider what happens when a user receives a phishing link. In this case, the Authenticator does not find the identifier among the known ones, and creates a new data set. In this way, the disclosure of credentials does not occur. That is why FIDO authenticators are called resistant to phishing.