What is FIDO2? FIDO2 Web Authentication Explained | StrongDM (2024)

Summary: In this article, we will take a big-picture look at FIDO2 and how it applies to passwordless authentication. You’ll learn about the origins of FIDO2, its advantages and disadvantages, the differences between FIDO2, FIDO, and WebAuthn, and how UAF and U2F differ. By the end of this article, you’ll have a clear understanding of how FIDO2 works, what problems it solves, whether you need FIDO2 certification, and what that certification entails.

What Is FIDO2?

FIDO2 is the newest set of specifications from the FIDO Alliance. It enables the use of common devices to authenticate to online services on both mobile and desktop environments, using unique cryptographic login credentials for every site. Essentially, FIDO2 is passwordless authentication.

Also spelled as “FIDO 2,” FIDO2 is an overarching term for the FIDO Alliance specifications. These are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s Client-to-Authenticator Protocol (CTAP).

FIDO2 provides a passwordless way to authenticate users and addresses security, convenience, privacy, and scalability issues that passwords do not. Online services can be accessed through a standard web API, which can be built into web platform infrastructure.

History of FIDO2

The FIDO (Fast IDentity Online) Alliance was founded in 2012 by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnito to find a way to create a passwordless authentication protocol. Google, Yubico, and NXP joined the alliance in 2013. In 2014, PayPal and Samsung collaborated to launch the first FIDO authentication protocol for the Samsung Galaxy S5, allowing users to log in and shop with a finger swipe and pay with PayPal. In December 2014, the first full FIDO passwordless protocol was released.

In February 2016, W3C took the FIDO2 2.0 web APIs submitted by the FIDO Alliance and launched a new standards effort. The goal behind this effort was for the FIDO Alliance to work with the W3C to standardize FIDO authentication across browsers and web platform infrastructure. FIDO2 officially launched in April 2018, and it was implemented in Google Chrome, Mozilla Firefox, and Microsoft Edge. In 2020, Safari on iOS, MacOS BigSur, and iPad OS 14 expanded support for FIDO2.

In the past year, spending on multi-factor authentication (MFA) has risen. More modern authentication standards, such as FIDO2, and the realization that phishing attacks and stolen credentials are at fault for a lot of security breaches, has led 74 percent of organizations to plan for increased investment in the technology. In particular, FIDO2 and passwordless authentication are gaining steam as ways to address gaps in MFA strategies, as 61 percent of surveyed organizations have either deployed or plan to deploy them.

Advantages of FIDO2

There are a lot of advantages to FIDO2, primarily around security, convenience, privacy, and scalability. FIDO2 does not store credentials on a server and uses unique cryptographic login credentials, which helps reduce the likelihood of phishing, password theft, and replay attacks. Cybercrime has dramatically risen; 791,790 complaints were filed in 2020, an increase of over 300,000 from the previous year. Reported losses were over $4.2 billion. FIDO2 authentication could help stem the tide of attacks.

Additionally, it’s convenient for users because they leverage fingerprint readers or cameras on their mobile devices or simple FIDO2 security keys to log in. Because the keys are unique for every website, users can’t be tracked across sites.

In fact, it’s fairly straightforward to use a FIDO2 security key on a mobile device. Apple and other major device manufacturers have invested heavily in FIDO2, so implementing multi-factor authentication with a mobile device can be done without changing the device itself. Organizations that need to enforce strict authentication standards, such as using only NIST-certified FIDO2 devices, can use FIDO2 Attestation to ensure the device is approved for MFA before allowing it.

Additionally, websites use a JavaScript API call to enable FIDO2. Most major browsers and platforms support it, making it easy to scale with passwordless authentication across websites.

Disadvantages of FIDO2

FIDO2 does have one big drawback, mainly around convenience. Users are required to undergo an additional security step instead of quickly typing in their password (or having it automatically filled in by a browser). While this step enhances security, it can also make logging into multiple FIDO2-enabled websites throughout the day cumbersome.

Another consideration is that, while FIDO2 is supported by major browsers and platforms, it still is not widely supported. There aren’t many FIDO2-supported websites deployed, although that is predicted to grow as FIDO2 gains traction.

How Does FIDO2 Work?

FIDO2 passwordless authentication uses public-key cryptography for security and convenience. Both a private and public key are used to validate who the user is. To take advantage of FIDO2, a user needs to sign up at a FIDO2-supported site to choose a security key, such as FIDO2 Webauthn or a platform module. The site generates a FIDO2 authentication key pair, and the user’s device sends the public key to the service. The private key is stored on the user’s device.

Then, when the user is ready to log in to a FIDO2 service, they follow a few steps. They provide their username and email, and the service gives them a cryptographic challenge. The FIDO2 key is used to sign the challenge, and they are granted access. No secrets are exchanged with servers; the FIDO2 key is always on the user’s device.

FIDO2 vs FIDO vs WebAuthn

While they sound alike, FIDO2 differs from its predecessor, FIDO. It also differs from WebAuthn.


FIDO is an overarching term that typically refers to the FIDO Alliance or all FIDO standards. FIDO2 is the most recent FIDO Alliance standard, which allows for passwordless authentication for both mobile and desktop applications through mobile devices.

FIDO2 vs WebAuthn

FIDO2 and WebAuthn are not interchangeable terms. WebAuthn is the main component of FIDO2. The set of standards and APIs allows the browser to communicate with the operating system and deal with using cryptographic keys. WebAuthn falls under FIDO2 standards, but it was developed by the W3C.

U2F and UAF FIDO Protocols: What’s the Difference?

The original FIDO was created to foster stronger authentication standards for passwords and logins. The first passwordless protocol, called FIDO Universal Authentication Framework (FIDO UAF), and the second, FIDO Universal Second Factor (FIDO U2F), were released at the same time in 2014.

These two protocols are different. FIDO UAF is for online services that want to add multi-factor authentication and passwordless authentication. UAF allows for methods like fingerprint scanning, facial recognition, or entering in a PIN for authentication purposes. FIDO U2F is for augmenting password-based authorization with two-factor authentication and required initially a physical key, such as a YubiKey, for verification. Near-field communication (NFC) and Bluetooth Low Energy (BLE) devices can also be used.

FIDO2 is considered the successor to FIDO UAF since it allows for passwordless authentication on top of existing identity verification. In the wake of FIDO2, U2F was relabeled at Client to Authenticator Protocol (CTAP1).

How to Assess Whether You Need a FIDO2 Certification

The FIDO Alliance has a FIDO certification program that verifies how compliant and secure different services and applications are. There are various levels of certifications to determine how interoperable organizations and their products are with FIDO specifications. There is a specific certification for FIDO2, and a FIDO2 Certified Server can accept any FIDO2 Certified authenticator, even if they’re made by different companies. FIDO certifications include:

· Functional Certification, a comprehensive program

· Authenticator Level 1 (L1), the minimum required for FIDO2 certification

· Authenticator Level 1+

· Authenticator Level 2

· Authenticator Level 3

· Authenticator Level 3+

Organizations do not have to be FIDO Alliance members to get FIDO2 certifications. All organizations that apply for certification have to undergo self-validation, interoperability testing, and certification for their authenticators for at least Level 1 (L1). They also must submit required documents. If an organization wishes to use the FIDO Certified trademark and logo on their product, packaging, or marketing materials, they will also need to execute a Trademark License Agreement. Finally, FIDO authenticator vendors are encouraged to use the FIDO Alliance Metadata Service (MDS) to publish metadata statements for FIDO servers.

FIDO Certifications for Professionals

In addition to product certifications, the FIDO Alliance also has a FIDO Certified Professional program. It evaluates how well a candidate can deploy FIDO authentication solutions, analyze business requirements, design and implement technical requirements, validate business and technical requirements for implementation, and educate others about authentication.

This certification is not specific to FIDO2 but assesses someone’s overarching knowledge of FIDO standards. Technology architects, security professionals, identity and access management professionals, and systems and operations engineers are all good candidates for the FIDO Certified Professional program.


FIDO2 has become a standard adopted by major device manufacturers and web platforms alike with ease of use, privacy, and security as its main advantages. It allows for passwordless authentication without cryptography keys being stored on a server, making it much more difficult to compromise credentials.

The FIDO Alliance has been working on standards since 2012. With this newest iteration, users can leverage their mobile devices to authenticate instead of needing a hardware key.

Using FIDO2 can help improve access management. It will be even more convenient for passwordless authentication as it becomes more widely adopted.

Ready to take control of access? Try StrongDM for free for 14 days.

Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

What is FIDO2? FIDO2 Web Authentication Explained | StrongDM (2024)


What is FIDO2? FIDO2 Web Authentication Explained | StrongDM? ›

FIDO2 provides a passwordless

SSH passwordless login is an SSH authentication method that employs a pair of public and private keys for asymmetric encryption. The public key resides on the server, and only a client that presents the private key can connect.
https://www.strongdm.com › blog › ssh-passwordless-login
way to authenticate users and addresses security, convenience, privacy, and scalability issues that passwords do not. Online services can be accessed through a standard web API, which can be built into web platform infrastructure.

What is FIDO2 web authentication? ›

FIDO2 stands for (Fast IDentity Online 2), the latest open authentication standard released by the FIDO Alliance. Comprising Microsoft and other technology, commercial, and government organizations, the alliance seeks to eliminate the use of passwords over the World Wide Web.

What are the different types of authenticators in FIDO2? ›

FIDO2 supports passwordless, second-factor and multi-factor user experiences with embedded (or bound) authenticators (such as biometrics or PINs) or external (or roaming) authenticators (such as FIDO Security Keys, mobile devices, wearables, etc.).

What are the authentication options for FIDO2? ›

FIDO2 authentication options
  • Passwordless authentication. Strong single factor authentication using a hardware authenticator, eliminates the need for weak password-based authentication.
  • Two factor authentication. ...
  • Multi-factor authentication. ...
  • YubiKey 5 Series. ...
  • Security Key Series by Yubico.

What is the difference between 2FA and FIDO2? ›

While both methods provide additional security, FIDO2 authentication is more secure and convenient than 2FA. With 2FA, users have to remember a password and enter a code that is sent to their mobile device. FIDO2 authentication, on the other hand, is passwordless and can be done with a simple touch or biometric scan.

What is an example of a FIDO2? ›

What are some examples of FIDO2 authentication methods? Biometric-capable devices and platform authenticators: These are built-in authenticators that require a biometric, PIN, or passcode. Examples include Apple's Touch ID and Face ID, Windows Hello, or Android fingerprint and face recognition.

How does the FIDO2 work? ›

FIDO2 does not store credentials on a server and uses unique cryptographic login credentials, which helps reduce the likelihood of phishing, password theft, and replay attacks. Cybercrime has dramatically risen; 880,418 complaints were filed in 2023, a 10% increase over the previous year.

What devices can use FIDO2? ›

Web browser support
2 more rows
Jul 15, 2024

How many keys can you have on FIDO2? ›

FIDO2 - the YubiKey 5 can hold up to 100 discoverable credentials (AKA hardware-bound passkeys) in its FIDO2 application. FIDO U2F - similar to Yubico OTP, the FIDO U2F application can be registered with an unlimited number of services.

What if I lose my FIDO2 key? ›

Just go to the website your key already registered. On the 2-step verification tab or similar tab, delete the device. Two FIDO keys are recommended, one for normal use, the other for backup.

What phone is the FIDO2 security key? ›

FIDO2 security keys

Users sign in to work or personal account from their PC or mobile phone. User can access device based on organization controls and authenticate based on PIN, biometrics using devices such as USB security keys and NFC-enabled smartcards, keys, or wearables.

Which website support FIDO2? ›

So you can already use FIDO U2F with very many services, among them are: Nextcloud, GitHub, Odoo, Gitlab, Facebook, Google and many more. Passwordless logins using FIDO2 are comparatively rare, e.g. at Microsoft or Nextcloud.

What is the FIDO secret key? ›

A FIDO security key is a small, physical device used during FIDO authentication. FIDO security keys use public key cryptography to authenticate users.

Why is FIDO2 better? ›

Pros of Using FIDO2 Passwordless Authentication

One of the biggest advantages of FIDO2 passwordless authentication is that it provides enhanced security. The cryptographic credentials provided at login are unique for each online service provider and are never shared or stored on servers.

Which two-factor authentication is best? ›

The Best Two-Factor Authentication App

Along with using a password manager, the most important thing you can do to secure your online accounts is to enable two-factor authentication (2FA) everywhere you can. After testing 10 2FA apps, we think Duo Mobile is the best choice for most people.

Which websites use FIDO2? ›

So you can already use FIDO U2F with very many services, among them are: Nextcloud, GitHub, Odoo, Gitlab, Facebook, Google and many more. Passwordless logins using FIDO2 are comparatively rare, e.g. at Microsoft or Nextcloud. We list an overview of compatible services on dongleauth.com.

Can FIDO2 be hacked? ›

Hardware Authentication Keys

FIDO 2 is a passwordless standard that is easy to use, and very secure. It uses public key cryptography, which makes it virtually impossible for a hacker to find a way to access your account.

What browsers are FIDO2 compliant? ›

As of Windows 10 build 1903, official FIDO2 certification for Windows Hello is supported on Microsoft Edge, Google Chrome, and Mozilla Firefox. Previous versions of Windows 10 because it uses a deprecated implementation of WebAuthnthat Okta doesn't support. Only YubiKey 5 and newer supports CTAP with PIN.

Top Articles
Difference Between Spot and Futures Gold Rates
USPS Restricted Delivery, Postal Service Special Services
Nullreferenceexception 7 Days To Die
Recent Obituaries Patriot Ledger
Top Financial Advisors in the U.S.
Green Bay Press Gazette Obituary
Apply A Mudpack Crossword
Hallowed Sepulchre Instances & More
CSC error CS0006: Metadata file 'SonarAnalyzer.dll' could not be found
Waive Upgrade Fee
2021 Tesla Model 3 Standard Range Pl electric for sale - Portland, OR - craigslist
Simple Steamed Purple Sweet Potatoes
Culos Grandes Ricos
zopiclon | Apotheek.nl
Evangeline Downs Racetrack Entries
Regal Stone Pokemon Gaia
Guidewheel lands $9M Series A-1 for SaaS that boosts manufacturing and trims carbon emissions | TechCrunch
Connect U Of M Dearborn
Espn Horse Racing Results
Q Management Inc
Union Ironworkers Job Hotline
Orange Pill 44 291
Dr Ayad Alsaadi
Accuweather Minneapolis Radar
Klsports Complex Belmont Photos
Watson 853 White Oval
manhattan cars & trucks - by owner - craigslist
Riverstock Apartments Photos
Stephanie Bowe Downey Ca
Haunted Mansion Showtimes Near Cinemark Tinseltown Usa And Imax
Aladtec Login Denver Health
Myhrconnect Kp
#scandalous stars | astrognossienne
Tamilyogi Ponniyin Selvan
Kornerstone Funeral Tulia
Reese Witherspoon Wiki
Lima Crime Stoppers
Live Delta Flight Status - FlightAware
Craigs List Hartford
Cl Bellingham
Pain Out Maxx Kratom
Candise Yang Acupuncture
Human Resources / Payroll Information
Canvas Elms Umd
Craigslist Pet Phoenix
Morbid Ash And Annie Drew
Bluebird Valuation Appraiser Login
Coors Field Seats In The Shade
Latest Posts
Article information

Author: Margart Wisoky

Last Updated:

Views: 6191

Rating: 4.8 / 5 (58 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Margart Wisoky

Birthday: 1993-05-13

Address: 2113 Abernathy Knoll, New Tamerafurt, CT 66893-2169

Phone: +25815234346805

Job: Central Developer

Hobby: Machining, Pottery, Rafting, Cosplaying, Jogging, Taekwondo, Scouting

Introduction: My name is Margart Wisoky, I am a gorgeous, shiny, successful, beautiful, adventurous, excited, pleasant person who loves writing and wants to share my knowledge and understanding with you.