Home/Glossary/FIDO2

FIDO2

An open authentication standard that enables passwordless and phishing-resistant login using hardware security keys or platform authenticators.

Identity & Access ManagementAlso called: "webauthn", "passwordless authentication", "security keys"

FIDO2 combines WebAuthn (browser API) and CTAP (device protocol) to enable strong, phishing-resistant authentication.

Why FIDO2 matters

  • Phishing-resistant: Credentials are bound to the origin, preventing credential theft.
  • No shared secrets: Private keys never leave the device.
  • User-friendly: Touch or biometric confirmation replaces passwords.
  • Widely supported: Works across major browsers and platforms.

FIDO2 components

  • WebAuthn: W3C standard for browser-based authentication.
  • CTAP2: Protocol for external authenticators (security keys).
  • Platform authenticators: Built-in (Windows Hello, Touch ID, Face ID).
  • Roaming authenticators: External devices (YubiKey, Titan Key).

Implementation options

  • Security keys: YubiKey, Google Titan, Feitian.
  • Platform: Windows Hello, Apple Touch ID/Face ID, Android.
  • Passkeys: Synced FIDO2 credentials across devices.

Cloud provider support

  • AWS IAM supports FIDO2 security keys for MFA.
  • Azure/Entra ID supports passwordless with FIDO2.
  • Google Workspace supports security keys and passkeys.

Best practices

  • Require FIDO2 for privileged accounts.
  • Provide backup authentication methods.
  • Register multiple keys per user for redundancy.
  • Consider passkeys for consumer applications.

Related Tools

Related Articles

View all articles
Password Policy Best Practices for Enterprise Security in 2026

Password Policy Best Practices for Enterprise Security in 2026

Modern password policies have evolved beyond complexity requirements. Learn how to implement passwordless authentication, passkeys, and risk-based policies that improve both security and user experience.

Read article →
PCI DSS Compliance Validation Workflow

PCI DSS Compliance Validation Workflow

Complete guide to PCI DSS 4.0.1 compliance validation from merchant classification through SAQ completion. Covers cardholder data environment mapping, network segmentation, encryption validation, vulnerability scanning, and policy implementation.

Read article →
Secure Password & Authentication Flow Workflow

Secure Password & Authentication Flow Workflow

Master the complete secure password and authentication workflow used by security teams worldwide. This comprehensive guide covers NIST 800-63B password guidelines, Argon2id hashing, multi-factor authentication, session management, brute force protection, and account recovery with practical implementation examples.

Read article →
Data breach trends 2023-2025: What organizations and consumers need to know

Data breach trends 2023-2025: What organizations and consumers need to know

Review the breach patterns emerging since 2023, including double extortion, supply chain compromises, and consumer fallout, plus actions to reduce risk.

Read article →

Explore More Identity & Access Management

View all terms

Authentication vs Authorization

Authentication verifies who you are, while authorization determines what you can do.

Read more →

Identity and Access Management (IAM)

The policies and technologies used to verify identities, govern permissions, and log access across systems.

Read more →

Kerberos

A network authentication protocol that uses secret-key cryptography and trusted third parties to verify user and service identities without transmitting passwords.

Read more →

LDAP (Lightweight Directory Access Protocol)

An open, vendor-neutral protocol for accessing and maintaining distributed directory services over a network.

Read more →

Multi-Factor Authentication (MFA)

An authentication method that requires users to provide two or more verification factors to gain access.

Read more →

OAuth (Open Authorization)

An open standard for delegated access authorization that allows applications to access user resources without exposing credentials.

Read more →
Back to glossary