FIDO2 combines WebAuthn (browser API) and CTAP (device protocol) to enable strong, phishing-resistant authentication.
Why FIDO2 matters
- Phishing-resistant: Credentials are bound to the origin, preventing credential theft.
- No shared secrets: Private keys never leave the device.
- User-friendly: Touch or biometric confirmation replaces passwords.
- Widely supported: Works across major browsers and platforms.
FIDO2 components
- WebAuthn: W3C standard for browser-based authentication.
- CTAP2: Protocol for external authenticators (security keys).
- Platform authenticators: Built-in (Windows Hello, Touch ID, Face ID).
- Roaming authenticators: External devices (YubiKey, Titan Key).
Implementation options
- Security keys: YubiKey, Google Titan, Feitian.
- Platform: Windows Hello, Apple Touch ID/Face ID, Android.
- Passkeys: Synced FIDO2 credentials across devices.
Cloud provider support
- AWS IAM supports FIDO2 security keys for MFA.
- Azure/Entra ID supports passwordless with FIDO2.
- Google Workspace supports security keys and passkeys.
Best practices
- Require FIDO2 for privileged accounts.
- Provide backup authentication methods.
- Register multiple keys per user for redundancy.
- Consider passkeys for consumer applications.
Related Tools
Related Articles
View all articlesBiometric Authentication: Understanding FAR, FRR, and CER for Security Professionals
Master the critical metrics behind biometric authentication systems including False Acceptance Rate (FAR), False Rejection Rate (FRR), and Crossover Error Rate (CER). Learn how to evaluate, tune, and deploy biometric systems across enterprise, consumer, and high-security environments.
Read article →Physical Security & CPTED: The Complete Guide to Protecting Facilities, Data Centers, and Critical Assets
A comprehensive guide to physical security covering CPTED principles, security zones, access control, fire suppression, and environmental controls for protecting facilities and data centers.
Read article →Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture
Master threat modeling with STRIDE and DREAD frameworks to identify, classify, and prioritize security threats before they become vulnerabilities. This comprehensive guide covers data flow diagrams, mitigation mappings, MITRE ATT&CK integration, and building an enterprise threat modeling program.
Read article →Azure AD Is Now Microsoft Entra ID: What Changed and What It Means
Microsoft renamed Azure Active Directory to Microsoft Entra ID. Learn what changed, what stayed the same, and how this affects your organization's identity management.
Read article →Explore More Identity & Access Management
View all termsAuthentication vs Authorization
Authentication verifies who you are, while authorization determines what you can do.
Read more →Identity and Access Management (IAM)
The policies and technologies used to verify identities, govern permissions, and log access across systems.
Read more →Kerberos
A network authentication protocol that uses secret-key cryptography and trusted third parties to verify user and service identities without transmitting passwords.
Read more →LDAP (Lightweight Directory Access Protocol)
An open, vendor-neutral protocol for accessing and maintaining distributed directory services over a network.
Read more →Multi-Factor Authentication (MFA)
An authentication method that requires users to provide two or more verification factors to gain access.
Read more →OAuth (Open Authorization)
An open standard for delegated access authorization that allows applications to access user resources without exposing credentials.
Read more →