What is FIDO2?

FIDO2 Definition

FIDO2 (Fast Identity Online 2) is an open authentication standard developed by FIDO Alliance in collaboration with W3C. It enables passwordless, phishing-resistant authentication using public key cryptography, biometrics, or physical security keys.

FIDO2 Components

WebAuthn (Web Authentication API)

W3C standard for browser authentication:

• JavaScript API for websites
• Support by all major browsers
• Communication with authenticators

CTAP (Client to Authenticator Protocol)

Communication protocol between device and authenticator:

• CTAP1 - backward compatibility with U2F
• CTAP2 - full FIDO2 functionality

How Does FIDO2 Work?

Registration Process

1. User selects "Register security key"
2. Server sends challenge (random data)
3. Authenticator generates key pair (public + private)
4. Private key stays on device
5. Public key is sent to server
6. Server stores public key for user

Login Process

1. User provides username
2. Server sends challenge
3. Authenticator signs challenge with private key
4. Signature is verified with public key on server
5. User is logged in

Types of Authenticators

Roaming Authenticators (External)

Physical security keys:

Manufacturer	Model	Features
Yubico	YubiKey 5	USB-A/C, NFC, biometrics
Google	Titan	USB-C, NFC, Bluetooth
Feitian	ePass	USB, NFC
SoloKeys	Solo V2	Open source

Platform Authenticators (Built-in)

Authenticators integrated with device:

• Windows Hello - biometrics, PIN
• Touch ID / Face ID - Apple devices
• Android Biometrics - fingerprint, face
• Passkeys - synced across devices

Passkeys - Evolution of FIDO2

What Are Passkeys?

Passkeys are FIDO2 implementation with synchronization:

• Stored in cloud (iCloud, Google)
• Synced between user’s devices
• Backup and recovery
• Full FIDO2 compatibility

Passkeys vs Traditional FIDO2 Keys

Aspect	FIDO2 Keys	Passkeys
Storage	Physical device	Cloud + device
Synchronization	None	Automatic
Backup	None (by design)	Yes
Portability	Requires key	Any device
Security	Very high	High

FIDO2 Security

Attack Resistance

Phishing:

• Origin binding - key works only on registered domain
• Attacker cannot intercept credentials

Man-in-the-Middle:

• Cryptographic server verification
• Challenge-response prevents replay

Credential Stuffing:

• Unique keys for each service
• No shared secrets

Brute Force:

• Cryptographic keys (not passwords)
• Attempt limits (lockout)

Security Model

Private key never leaves authenticator
         ↓
Server stores only public key
         ↓
Even with database breach - no threat

FIDO2 vs Other Methods

FIDO2 vs Passwords

Aspect	Passwords	FIDO2
Phishing	Vulnerable	Resistant
Reuse	Common problem	Impossible
Brute force	Possible	Impossible
Convenience	Poor	Very good
Breaches	High risk	No risk

FIDO2 vs SMS/TOTP

Aspect	SMS/TOTP	FIDO2
Phishing	Vulnerable (real-time)	Resistant
SIM swap	Vulnerable (SMS)	Resistant
Convenience	Medium	Good
Costs	SMS has costs	One-time purchase

FIDO2 Implementation

Browser Support

• Chrome 67+
• Firefox 60+
• Safari 13+
• Edge 18+

Platforms

• Windows 10/11 (Windows Hello)
• macOS Big Sur+ (Touch ID)
• iOS 14+ / Android 7+

Implementation Example (JavaScript)

Registration:

const credential = await navigator.credentials.create({
    publicKey: {
        challenge: serverChallenge,
        rp: { name: "Example Corp" },
        user: {
            id: userId,
            name: "user@example.com",
            displayName: "User"
        },
        pubKeyCredParams: [
            { type: "public-key", alg: -7 },  // ES256
            { type: "public-key", alg: -257 } // RS256
        ],
        authenticatorSelection: {
            userVerification: "preferred"

});

Login:

const assertion = await navigator.credentials.get({
    publicKey: {
        challenge: serverChallenge,
        allowCredentials: [{
            type: "public-key",
            id: credentialId
        }]

});

Use Cases

Enterprise

• Workstation login
• VPN and remote access
• Internal applications
• Regulatory compliance (PCI DSS, HIPAA)

Consumer

• Service login (Google, Microsoft, GitHub)
• Online banking
• E-commerce
• Social media

High Security

• Critical infrastructure
• Financial systems
• Government administration
• Healthcare

Challenges and Limitations

Challenges

• Adoption - requires service support
• Recovery - what if you lose your key?
• Cost - physical keys have cost
• Education - users accustomed to passwords

Solutions

1. Backup authenticator - second spare key
2. Recovery codes - one-time codes
3. Passkeys - cloud synchronization
4. Gradual deployment - MFA before passwordless

Future of Authentication

Trends

• Passkeys as default method
• Password elimination
• Biometrics + FIDO2
• Integration with identity providers

Standards and Regulations

• NIST 800-63-4 - recommends FIDO2
• PSD2/SCA - meets strong authentication requirements
• Zero Trust - FIDO2 as foundation

FIDO2 represents the future of authentication, offering significantly higher security than passwords while improving user convenience.