Skip to main content

FIDO Device Onboard

FIDO Device Onboard (FDO) is a specification for secure, automated onboarding of Internet of Things (IoT) and edge devices to cloud or on‑premises management platforms (device identity and lifecycle management).

  • Standardized protocol for automatic device onboarding to cloud or on‑premises services (device onboarding).
  • Use of asymmetric cryptography and device-bound credentials to authenticate devices and delivery targets (device security).
  • Support for late binding of devices to owners or service providers at installation time (supply-chain and provisioning).
  • Model for separation of manufacturing, ownership, and service provisioning entities (device lifecycle management).
  • Extensible architecture for integrating multiple relying-party service endpoints and onboarding workflows (integration and orchestration).

More About FIDO Device Onboard

FIDO Device Onboard (FDO) addresses the problem of securely onboarding large numbers of IoT and edge devices to backend services without manual configuration, pre-shared secrets, or site-specific firmware builds (device onboarding). The specification focuses on the period between device manufacturing and operational deployment, where enterprises and service providers need a repeatable method to attach devices to cloud platforms, management systems, or local controllers while maintaining device integrity and provenance (device lifecycle management).

At its core, Facility Design Optimizer (FDO) defines a protocol in which a device is provisioned at manufacturing time with a device credential and metadata describing ownership and allowed transfer steps (device identity). When the device is deployed, it connects to an onboarding service and performs an authenticated protocol exchange that verifies the device and the target service using asymmetric cryptography and signed ownership vouchers (device security). This mechanism supports transfer of ownership through controlled voucher updates, enabling devices to be securely handed off between manufacturers, distributors, solution integrators, and end customers (supply-chain management).

The FDO architecture separates roles such as manufacturer, owner, and service provider, and defines protocol endpoints including device agents, rendezvous services, and owner onboarding services (architecture and protocols). The rendezvous service allows a device to discover the correct owner onboarding service based on data embedded at manufacture or updated later, which supports flexible deployment paths and multi-tenant environments (service discovery). The owner onboarding service, once contacted, completes the provisioning flow by installing configuration, credentials, or references needed to connect the device to its operational backend, such as a cloud IoT hub or edge orchestrator (infrastructure integration).

In enterprise environments, FDO is used to streamline secure rollout of IoT gateways, sensors, industrial controllers, and other networked equipment at remote or distributed sites (enterprise IoT deployment). Instead of preconfiguring each device for a specific customer or site, manufacturers can ship a common hardware and firmware image with FDO support, and integrators or operators bind devices to their chosen services at install time via the FDO protocol (deployment automation). This reduces the need for device-specific onboarding scripts, on-site credential handling, or truck-roll reconfiguration when service endpoints change.

FDO is part of the broader set of work under the FIDO Alliance, which focuses on authentication and security standards for connected systems (security standards). The specification is published with an emphasis on interoperability so that multiple vendors can implement compatible device, rendezvous, and owner onboarding services (interoperability). For enterprises, FDO can be categorized under device identity, provisioning, and lifecycle management, and can interoperate with existing Public Key Infrastructure (PKI), cloud IoT platforms, and management tools through standard interfaces and APIs defined in the specification (enterprise integration).