What is FIDO2?

FIDO2 consists of two protocols: Web Authentication (WebAuthn) and Client to Authenticator Protocol 2 (CTAP2). Working together, these protocols enable users to log in to a website or application without the use of traditional passwords.

Instead of passwords, FIDO2 authentication uses the same methods that people use to unlock a device such as a smartphone or laptop computer. FIDO2 users can authenticate with facial recognition, a fingerprint reader or by entering a PIN. They can also use a physical hardware token known as a FIDO2 security key.

Because FIDO2 is based on public key cryptography, it provides a more secure authentication method than passwords, which attackers often target. The IBM® X-Force® Threat Intelligence Index reports that nearly a third of cyberattacks involve the hijacking of valid user accounts.

By eliminating passwords, FIDO2 mitigates many cybersecurity threats such as phishing, man-in-the-middle attacks and account hijacking. It also provides a more convenient user experience because there is no need to remember passwords, regularly change passwords or deal with reset and recovery processes.

FIDO2 authentication uses public key cryptography to generate a unique cryptographic key pair, called a “passkey,” associated with a user’s account. The key pair consists of a public key that stays with the service provider and a private key that resides on the user’s device.

When the user logs in to their account, the service provider sends a challenge—typically a random string of characters—to the user’s device. The device prompts the user to authenticate themselves by entering a PIN or by using biometric authentication.

If the user successfully authenticates, the device uses the private key to sign the challenge and send it back to the service provider. The service provider uses the public key to verify that the right private key was used and grants the user access to their account.

A passkey stored on one device can be used to log in to a service on another device. For example, if a user sets up a passkey for their email account on their mobile device, they can still log in to their email account on a laptop. The user would complete the authentication challenge on the registered mobile device.

FIDO2 also supports the use of security keys, such as a YubiKey or Google Titan, as an authentication method.

Security keys, also called “hardware tokens,” are small physical devices that transmit authentication information directly to a service. They can connect through Bluetooth, near-field communication (NFC) protocols, or a USB port. Users can use a FIDO2 security key instead of biometric data or a PIN to authenticate themselves and sign a challenge.

Because the private key is stored on—and never leaves—the user’s device, the possibility of a security breach is minimized. Hackers cannot steal it by breaking into a database or intercepting communications. The public key that resides with the service provider contains no sensitive information and is of little use to hackers.

Say that a user wants to use FIDO authentication to log in to their email account. The process for creating a passkey and authenticating with it would look like this:

1. In the account settings, the user selects “passkey” as an authentication method.
   
   
2. The user selects the device on which they want to create the passkey. This device is typically the device that they are currently using, but it can also be a different device that they own.
   
   
3. The selected device asks the user to authenticate by using biometrics, a PIN. or a security key.
   
   
4. The user’s device creates a cryptographic key pair. The public key is sent to the email provider, and the private key is stored on the device.
   
   
5. The next time the user logs in, the email provider sends a challenge to the user’s device.
   
   
6. The user answers the challenge by authenticating with biometrics, a PIN or a security key.
   
   
7. The device returns the authenticated challenge to the email provider, which uses the public key to verify it.
   
   
8. The user is granted access to the email account.

FIDO2 supports two types of passkeys: synced passkeys and device-bound passkeys.

Synced passkeys can be used across multiple devices, making them more convenient. Credential managers such as Apple Passwords, Windows Hello and Google Password Manager can store synced passkeys and make them available to users on any device.

For example, a user might register for a passkey on a smartphone to access a banking application. That same passkey will be available through the credential manager when the user logs in to the banking application with their laptop or tablet device.

This type of passkey is bound to a single device, offering the highest level of security.

Device-bound passkeys are typically accessed with a physical security key connected to one particular device. The passkey cannot leave the device, so it is less vulnerable to unauthorized access.

Device-bound passkeys are often used to access highly sensitive information such as financial data, corporate intellectual property or confidential government materials.

In 2013, a group of technology companies formed the FIDO Alliance. The organization’s goal was to reduce the world’s reliance on password-based authentication.

A year later, the alliance introduced the FIDO 1.0 standard, which consisted of two protocols: Universal Authentication Framework (UAF) and Universal Second Factor (U2F). The new standard laid the groundwork for passwordless authentication, but it was limited in scope.

For example, FIDO 1.0 was primarily focused on providing a second factor for password-based authentication instead of eliminating passwords entirely. It also lacked standardization that would enable it to be easily adopted across different platforms, applications and web browsers.

The FIDO Alliance addressed these limitations when it released the two new protocols of FIDO2—Client to Authenticator Protocol 2 (CTAP2) and Web Authentication (WebAuthn)—in 2018.

CTAP2 provides a single-factor passwordless authentication experience. WebAuthn simplifies FIDO adoption with a standardized browser-based application programming interface (API). This expanded functionality has helped FIDO2 become a widely adopted authentication standard for websites, applications and online services.

Today, millions of people use FIDO2 authentication to log in to websites and apps. The FIDO2 standard is supported by most user devices, web browsers, single sign-on (SSO) systems, identity and access management (IAM) solutions, web servers and operating systems, including iOS, macOS, Android and Windows.

2013: The FIDO Alliance is founded with the goal of reducing reliance on password-based authentication.

2014:  FIDO 1.0 is released.

2015: FIDO standards begin to be recognized around the world. The FIDO Alliance expands to more than 250 members, including companies such as Microsoft, Google, PayPal and Bank of America.

2016: The FIDO Alliance begins work on FIDO2. The group collaborates with the influential World Wide Web Consortium to help ensure the new standard is supported across different web browsers and platforms.

2018: FIDO2 is released and expands upon the capabilities of FIDO 1.0.

2020: FIDO2 is supported and implemented across major web browsers and operating systems, including Firefox, Chrome, Edge, Safari, Android, iOS and Windows.

2024: The FIDO Alliance announces that more than 15 billion user accounts around the world are able to use FIDO2 authentication.

While FIDO 1.0 and FIDO2 both enable passwordless authentication, FIDO2 significantly extends the reach and capabilities of the FIDO standard with fully passwordless strong authentication through mobile devices, desktops or security keys.

FIDO2 provides a more user friendly login experience by eliminating the need to enter passwords as a first factor in multifactor authentication (MFA). It also provides a standardized, web-based API for easy adoption.

For the clearest picture of the difference between FIDO 1.0 and FIDO2, it helps to look at the specific protocols behind each iteration of the standard. 

FIDO UAF was among the first protocols developed by the FIDO Alliance. It provides the capability to log in to a service without using a password. Instead of a password, a user can authenticate directly from a device by using biometric data such as voice or facial recognition, or a PIN.

However, UAF’s lack of standardization made it difficult to integrate and implement across various web browsers, applications and servers. This limited interoperability was a roadblock to its widespread adoption.

FIDO U2F was developed to provide two-factor authentication (2FA) for systems that rely on usernames and passwords. 2FA requires a second factor for users to confirm their identities. U2F uses a physical security key as the second factor for authorization. After the release of FIDO2, U2F was renamed “CTAP1.”

U2F’s reliance on physical security keys instead of a broader range of devices, such as smartphones and laptops, was a limiting factor for its adoption.

WebAuthn extends the capabilities of UAF by providing a web API that makes passwordless authentication easily available to relying parties. “Relying parties” is the term for websites and web apps that use FIDO authentication.

WebAuthn also provides FIDO standards that define how interactions should flow between the web application, the web browser and an authenticator such as biometric data or a security key.

CTAP2 defines how a FIDO client such as a web browser or operating system communicates with an authenticator. An authenticator is the component that verifies a user’s identity. In U2F (or CTAP1), the authenticator was always a security key. CTAP2 adds additional authenticators that reside on a user’s device, such as biometric voice and facial recognition, fingerprints or a PIN.