What is FIDO2?
FIDO2 is an open authentication standard developed by the FIDO Alliance and the W3C that enables passwordless, phishing-resistant authentication using public-key cryptography. FIDO2 comprises two components: the W3C Web Authentication API (WebAuthn), which allows web applications to create and use public-key credentials through the browser, and the FIDO Alliance's Client to Authenticator Protocol (CTAP2), which enables communication between browsers or operating systems and external authenticators like hardware security keys.
FIDO2 fundamentally changes the authentication model by eliminating shared secrets. Instead of transmitting a password to a server, the user's authenticator device generates a unique key pair for each service. The private key never leaves the device, and authentication is performed by signing a server-issued challenge. This architecture makes FIDO2 credentials immune to phishing, server-side breaches, and credential replay attacks.
FIDO2 is supported in all major browsers (Chrome, Firefox, Safari, Edge) and operating systems (Windows, macOS, iOS, Android). It forms the technical foundation for Passkeys, which extend FIDO2 with credential synchronization across devices. For organizations seeking the highest authentication assurance, FIDO2 with hardware-bound credentials (security keys) meets NIST AAL3 requirements.
How FIDO2 Works
FIDO2 authentication involves two ceremonies -- registration and authentication:
Registration:- User initiates registration -- The user requests to register a FIDO2 credential with a website (the relying party).
- Server sends challenge -- The relying party generates a random challenge and sends it to the browser along with relying party information and user details.
- Browser calls WebAuthn API -- The browser invokes
navigator.credentials.create(), passing the challenge to the authenticator. - Authenticator creates key pair -- The authenticator (security key, platform biometric, or mobile device) generates a public-private key pair unique to this relying party. The user authorizes creation with a gesture (touch, PIN, or biometric).
- Public key sent to server -- The authenticator returns the public key, credential ID, and attestation data to the server, which stores them.
- Server sends challenge -- The relying party generates a new random challenge.
- Browser calls WebAuthn API -- The browser invokes
navigator.credentials.get(). - User verifies -- The authenticator prompts the user for a gesture (touch, PIN, or biometric).
- Authenticator signs challenge -- Using the private key for this relying party, the authenticator signs the challenge.
- Server verifies signature -- The server verifies the signature against the stored public key. If valid, the user is authenticated.
FIDO2 in Practice
Hardware security keys are the most common enterprise FIDO2 deployment. YubiKeys, Google Titan Keys, and Feitian keys support FIDO2 and connect via USB, NFC, or Bluetooth. Organizations like Google, Microsoft, and Cloudflare have mandated FIDO2 security keys for employee authentication, effectively eliminating phishing-based account compromise.
Platform authenticators bring FIDO2 to devices without external hardware. Windows Hello uses the device's TPM chip, Apple uses Touch ID/Face ID with the Secure Enclave, and Android uses the device's biometric sensors. These platform authenticators enable FIDO2 authentication using built-in hardware.
Passkeys represent the evolution of FIDO2 for consumer use. By allowing FIDO2 credentials to sync across devices through cloud services, passkeys remove the single-device limitation of hardware keys while retaining the core security properties of public-key cryptography. Identity platforms including Okta, Auth0, and Duo now support FIDO2 for both security key and passkey authentication as part of their MFA and SSO offerings.Common Misconceptions
"FIDO2 requires buying hardware security keys for every user." Platform authenticators (Windows Hello, Touch ID, Android biometrics) provide FIDO2 authentication without additional hardware. Passkeys further expand FIDO2 to any device with biometric capabilities, making dedicated security keys optional for most use cases. "FIDO2 only works for web applications." While WebAuthn is the web API component, CTAP2 enables FIDO2 authentication in native applications and operating system login flows. Mobile apps can use platform APIs to leverage FIDO2 credentials, and desktop operating systems support FIDO2 for system login. "If I lose my FIDO2 security key, I'm permanently locked out." Organizations should always configure backup authentication methods -- a second registered security key, recovery codes, or passkeys synced to a cloud account. Passkeys specifically address this concern by enabling credential recovery through cloud backup.Key Standards & RFCs
- W3C Web Authentication (WebAuthn) Level 2 -- The W3C standard defining the browser API for creating and using public-key credentials.
- FIDO CTAP 2.1/2.2 -- Client to Authenticator Protocol specifying communication between clients and external authenticators, including hybrid transport for cross-device authentication.
- FIDO Metadata Service (MDS) -- A FIDO Alliance service providing authenticator metadata (certification level, capabilities) for relying parties to make trust decisions.
- NIST SP 800-63B -- Classifies hardware-bound FIDO2 authenticators at AAL3 (highest assurance) and synced passkeys at AAL2.
- FIDO Alliance Server Requirements -- Specifications for relying party servers implementing FIDO2 authentication.
Frequently Asked Questions
What is FIDO2?
FIDO2 is an open authentication standard that enables passwordless, phishing-resistant login using public-key cryptography, consisting of the WebAuthn browser API and CTAP2 authenticator protocol.
How does FIDO2 work?
During registration, the authenticator creates a unique key pair for each website. During login, the user provides a gesture (biometric or touch), and the authenticator signs a server challenge with the private key. The server verifies the signature with the public key.
What is FIDO2 used for?
FIDO2 is used for passwordless authentication, phishing-resistant MFA, enterprise security key deployments, and as the foundation for Passkeys on consumer platforms.
What are the benefits of FIDO2?
FIDO2 eliminates passwords and shared secrets, is immune to phishing and credential stuffing, provides cryptographic proof of authentication, and works across all major browsers and operating systems.
FIDO2 vs Passkeys?
FIDO2 is the underlying standard. Passkeys are a specific implementation of FIDO2 that adds credential synchronization across devices through cloud services. Traditional FIDO2 credentials are hardware-bound (single device); passkeys are synced and recoverable.