FIDO2: the Ultimate Passwordless Authentication Standard

Explore FIDO2, a modern authentication standard that replaces traditional passwords with secure and user-friendly methods using public key cryptography and biometrics. Learn about its history, how it works, and its advantages and limitations as it revolutionizes online account access.

What Is FIDO2 Authentication?

FIDO2 is a modern authentication standard that aims to replace traditional username and password authentication methods with stronger, more secure methods that are easier to use. It stands for Fast Identity Online 2.0 and is a standard developed by the FIDO Alliance, an industry consortium focused on creating open standards for strong authentication.

FIDO2 authentication uses a combination of public key cryptography and biometrics to provide secure and easy-to-use authentication. This approach eliminates the need for the user to remember complex passwords and reduces the risk of account takeover through stolen passwords. Instead, FIDO2 relies on a user’s biometric data (such as fingerprints or facial recognition) or a hardware key (such as a USB token) to verify their identity.

Related content: Read our guide to two factor authentication

FIDO2 authentication is increasingly being adopted by companies and websites as a more secure and convenient way for users to access their accounts.

In this article:

Who Is Behind the FIDO Standard?

The FIDO Alliance is an industry consortium that was established in 2012 with the goal of creating open authentication standards that are secure, easy to use, and widely adopted. The Alliance’s members include some of the world’s leading technology companies, such as Google, Microsoft, Amazon, and Intel.

The World Wide Web Consortium (W3C) is a global community that develops open standards for the web. It was founded in 1994 and is led by web inventor Tim Berners-Lee. The W3C’s mission is to ensure the long-term growth and interoperability of the web.

The FIDO Alliance and the W3C collaborated to develop the FIDO2 authentication standard, which was released in 2018. The standard incorporates the W3C’s Web Authentication (WebAuthn) specification, which enables FIDO2-based authentication to be integrated with web browsers.

The collaboration between the FIDO Alliance and the W3C was crucial in creating a widely accepted and interoperable standard for strong authentication. By working together, they were able to create a standard that could be adopted across a wide range of devices, platforms, and services.

Related content: Read our guide to authentication vs authorization

Brief History of FIDO

With the rise of biometric technology, PayPal and other tech leaders began working on an industry standard for passwordless authentication using public key cryptography.

The FIDO Alliance was founded in July 2012 by six companies: PayPal, Lenovo, Validity Sensors, Nok Nok Labs, Agnitio, and Infineon. The founding members recognized the need for stronger authentication methods and wanted to create an open standard that would improve security and boost the user experience. The FIDO Alliance quickly started growing, attracting members from a range of industries, including technology, finance, and telecommunications:

In 2014, Samsung and PayPal announced a collaboration to deploy FIDO authentication on Galaxy S5 devices. This was a significant milestone for the FIDO Alliance, as it demonstrated the potential of FIDO authentication on smart devices. Later that year, the FIDO Alliance completed version 1 of the FIDO protocol, which enabled passwordless authentication using biometrics or other user credentials.
In 2017, the FIDO Alliance announced the Authenticator Certification Program, which provides a framework for testing and certifying FIDO-compliant authenticators. This program helps ensure that FIDO authentication solutions are interoperable and meet the Alliance’s security and usability standards.
In April 2018, the FIDO Alliance launched FIDO2, a new standard that combines the FIDO U2F and FIDO UAF protocols. FIDO2 enables passwordless authentication using a wide range of methods, including biometrics and security keys. This new standard has gained significant adoption, with major technology companies such as Microsoft, Google, and Apple already supporting it.
In December 2018, the International Telecommunication Union (ITU-T) recognized the FIDO UAF and CTAP specifications as international standards. This recognition further validates the FIDO Alliance’s work in creating open, interoperable standards for strong authentication.

Over the years, many smart devices have adopted FIDO authentication, including smartphones, laptops, and IoT devices. This adoption has been driven by the FIDO Alliance’s focus on creating standards that are easy to use, secure, and interoperable. As more companies adopt FIDO authentication, it is becoming an increasingly important part of the broader shift towards stronger, more secure authentication methods.

Related content: Read our guide to token based authentication

FIDO vs. FIDO2

FIDO and FIDO2 are related but different authentication protocols developed by the FIDO Alliance.

FIDO (Fast IDentity Online) is the first set of open authentication standards that the Alliance developed. It includes two protocols: Universal Second Factor (U2F) and Universal Authentication Framework (UAF). U2F allows users to authenticate with a physical security key, such as a USB key, while UAF uses biometric data, such as fingerprints, to authenticate users.

FIDO2 is the next generation of FIDO protocols, and is designed to improve security and usability. It includes two new protocols: WebAuthn and CTAP (Client to Authenticator Protocol). WebAuthn allows web applications to interact with FIDO2 authentication devices, while CTAP allows other types of applications, such as mobile apps, to interact with FIDO2 authentication devices.

The main difference between FIDO and FIDO2 is the level of security and the range of applications that they support. FIDO provides a strong level of security with physical security keys and biometric data, but is limited to web-based applications. FIDO2, on the other hand, expands on the capabilities of FIDO by allowing other types of applications to interact with FIDO2 authentication devices, and by adding support for multiple authentication factors, including biometric data and PIN codes.

How Does FIDO2 Work?

FIDO2 Security Key

A FIDO2 security key is a type of hardware authentication device used for secure logins into online accounts and services. It’s a small, physical device that plugs into a USB port or uses a wireless interface, such as Bluetooth or NFC, to communicate with a device. It generates a public-private key pair, where the private key is securely stored on the device and the public key is shared with the online service or account.

FIDO2 User Registration Workflow

Registration in FIDO2 begins with the user initiating registration on a FIDO2-enabled service or application. The service or application generates a new key pair for the user, consisting of a public key and a private key. The private key is securely stored on the user’s device or security key, while the public key is sent back to the service.

The service then sends a challenge to the user’s device, which the device signs using the private key and returns the signed challenge to the service. The service verifies the signature using the public key, and if it is valid, associates the public key with the user’s account.

This process results in the user’s device being registered as a FIDO2 authenticator, allowing the user to authenticate without a password using biometrics or the security key.

FIDO2 Authentication Process

Subsequent authentication attempts involve a similar process to registration, where the user’s device signs a challenge presented by the service and sends the signed response back for verification. The authentication process requires the private key to work.

When logging into a FIDO2-enabled website, users can choose between the traditional sign-in option (username and password) or biometric authentication. The previously registered user’s device signs the challenge using the private key associated with the user’s account and returns the signed response to the service. The service verifies the signature using the previously registered public key, and if it is valid, grants the user access to their account.

FIDO2: Advantages and Limitations

FIDO2 offers several advantages over traditional authentication methods:

Security: FIDO2 uses public-key cryptography and hardware-backed protection to provide strong authentication that is resistant to phishing, man-in-the-middle (MitM) attacks, and other types of cyber threats.
Privacy: FIDO2 is designed to protect user privacy by ensuring that user credentials are never shared or stored on servers. This significantly reduces the risk of data breaches and unauthorized access.
Support: FIDO2 is supported by all major web browsers, including Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari. This broad support makes it easy for developers to adopt and integrate FIDO2 into their applications.
Convenience: FIDO2 offers a convenient and easy-to-use authentication experience, with no need to remember complex passwords or undergo time-consuming authentication processes. Users can authenticate with a simple gesture or tap on their device, improving user experience and productivity.
Scalability: FIDO2 is designed to be scalable and interoperable across a range of devices and services, enabling organizations to deploy strong authentication solutions at scale without the need for additional infrastructure or costly upgrades.

However, FIDO2 does require an additional step in the authentication process, such as touching a fingerprint sensor or inserting a security key. It doesn’t allow users to rely on the device or browser automatically filling in credentials. Some users may find this additional step inconvenient, especially if they are used to traditional authentication methods.

While FIDO2 has gained wider adoption in recent years, it is not yet supported by all applications and services. This can limit its usefulness for some users and organizations, who may need to use alternative authentication methods for certain applications.

Authentication and Authorization with Frontegg

Frontegg is a self-served and multi-tenant user management platform for SaaS businesses that are looking to cover both authorization and authentication bases with one centralized solution without worrying about in-house coding and other maintenance requirements. Just manage your roles and permissions, create strong flows based on your use cases, and customize your Login Box, all via one centralized dashboard. It’s really that easy.

START FOR FREE

The Complete Guide to SaaS Multi-Tenant Architecture

Read the guide

Cookie	Duration	Description
_vis_opt_s	3 months 8 days	Visual Website Optimizer sets this cookie to detect if there are new to or returning to a particular test.
_vis_opt_test_cookie	session	Visual Website Optimizer creates this cookie to determine whether or not cookies are enabled on the user's browser.
li_gc	6 months	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
messagesUtk	6 months	HubSpot sets this cookie to recognize visitors who chat via the chatflows tool.

Cookie	Duration	Description
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_hjSession_*	1 hour	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hjSessionUser_*	1 year	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hp2_ses_props.*	1 hour	Heap sets this cookie to store the timestamp and cookie domain or path.
_omappvp	1 year 1 month 4 days	The _omappvp cookie is set to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.
_vwo_uuid_v2	1 year	This cookie is set by Visual Website Optimiser and calculates unique traffic on a website.
cb_anonymous_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.
cb_group_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
cb_user_id	1 year	Clearbit sets this cookie to collect data on visitors. This information is used to assign visitors into segments, making website advertising more relevant.

Cookie	Duration	Description
__Host-session	14 days	No description available.
__tld__	session	Description is currently not available.
_cfuvid	session	Description is currently not available.
_crowdcontrol_session_key	session	Description is currently not available.
_g2_session_id	session	Description is currently not available.
_hp2_hld346349427843107.1065080579	5 minutes	Description is currently not available.
_hp2_hld6722177740337317.1065080579	5 minutes	Description is currently not available.
_hp2_hld8090462093010520.1065080579	5 minutes	Description is currently not available.
cbtest	1 year	Description is currently not available.
debug	never	No description available.
events_distinct_id	session	Description is currently not available.
h1_device_id	1 year	Description is currently not available.
pfjscookies	1 year	Description is currently not available.