IDSync — identity software buyer platform
Run Stack Finder

Authentication

FIDO2

FIDO2 is the open authentication standard that lets users sign in to websites and apps using public-key cryptography — implemented by WebAuthn in browsers and CTAP2 between the browser and the authenticator (security key, phone, or platform TPM).

Last reviewed 5/30/2026

Key points

  • FIDO2 = WebAuthn (W3C, browser ↔ server) + CTAP2 (FIDO Alliance, browser ↔ authenticator).
  • It is phishing-resistant: the credential is cryptographically bound to the origin (rp_id), so a fake site can't replay it.
  • Authenticators can be roaming (YubiKey, Titan) or platform (Touch ID, Windows Hello, Android biometrics).
  • Passkeys are the consumer-friendly UX layer on top of FIDO2/WebAuthn — typically discoverable, synced credentials.
  • Enterprise FIDO2 is the gold standard for MFA: it defeats phishing, SIM swap, push-bombing, and adversary-in-the-middle attacks.

What is FIDO2?

FIDO2 is the umbrella name for the open authentication standards that enable phishing-resistant, public-key sign-in across the web and native apps. It has two halves:

  • WebAuthn — a W3C standard exposed as a JavaScript API in every modern browser. It defines how a relying party (website) and the user's browser exchange cryptographic challenges.
  • CTAP2 (Client-to-Authenticator Protocol) — defines how the browser talks to the actual authenticator (a USB security key, NFC token, phone, or built-in platform authenticator like Touch ID or Windows Hello).

Together they replace passwords with a key pair: the private key never leaves the authenticator, and the public key is what the server stores.

How it works

  1. Registration — the server sends a challenge plus its origin (rp_id). The authenticator generates a new key pair, signs the challenge, and returns the public key. The server stores it against the user.
  2. Authentication — the server sends a new challenge. The authenticator signs it with the private key (after a user gesture: biometric, PIN, or button press). The server verifies the signature using the stored public key.

The critical property: the browser binds the credential to the origin. A phishing site at aceme.com cannot get a signature for acme.com, because the browser refuses to talk to the wrong rp_id. This is what makes FIDO2 phishing-resistant — and why it's the only MFA factor CISA recommends for high-value accounts.

When buyers care

  • Phishing-resistant MFA mandates (CISA BOD, US Executive Order 14028, PCI DSS 4.0, NYDFS 500.12).
  • Eliminating push bombing — Microsoft, Cisco, and others recommend moving from push MFA to FIDO2 after the Uber, Twilio, and Cisco breaches.
  • Passwordless rollouts — passkeys (the synced flavor of FIDO2) are the consumer UX; security keys are the enterprise high-assurance option.
  • Privileged users — admins, finance, executives should be FIDO2-only.

FIDO2 vs Passkeys vs Security Keys

  • FIDO2 is the underlying standard.
  • Security keys (YubiKey, Titan, Feitian) are roaming authenticators — usually device-bound, non-syncable, highest assurance.
  • Passkeys are FIDO2 credentials that are either device-bound (Windows Hello) or synced across a user's devices via iCloud Keychain / Google Password Manager / 1Password / Dashlane.

Editorial note

If a vendor sells "passwordless" without FIDO2 under the hood (e.g. magic links or push notifications), it is not phishing-resistant — it's just password-less.

Standards & references