What Is FIDO2 and How Does It Work? Passwordless Authentication Advantages & Disadvantages

What is FIDO2 and How Does It Work?


Logging into a website or service using the traditional username and password combination isn’t the best or safest way of going about it anymore. As cybercriminals become more technologically advanced, data protection methods must also move forward. This is where new authentication standards such as FIDO2 can become a useful tool in battling the issue.

But, what is FIDO2 passwordless authentication, and what authentication tools are used instead of passwords? How do FIDO2  security keys even work? We’ll answer these and many other essential questions pertaining to this passwordless authentication standard in this detailed overview. Continue reading to learn everything about the FIDO2 protocol.


What is FIDO2? The New Passwordless Standard

How Does FIDO2 Work

FIDO2 vs. FIDO U2F - What is the Difference

FIDO2 Advantages and Disadvantages

FIDO2 Use Cases

Getting started with FIDO2 authentication

What is FIDO2? The New Passwordless Standard

FIDO stands for Fast Identity Online. With an added number two at the end, this acronym is based upon previous work done by the FIDO Alliance, particularly in terms of developing the Universal 2nd Factor (U2F) authentication standard. 

The FIDO Alliance was founded in July 2012 by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio. The goal of this alliance was to reduce the reliance on traditional passwords and improve how identity authentication works. 

FIDO is the third standard to emerge from the FIDO Alliance, following the FIDO Universal Second Factor (U2F) and the FIDO Universal Authentication Framework (UAF).

The main objective of FIDO2 is to eliminate the use of passwords over the Internet. It was developed to introduce open and license-free standards for secure passwordless authentication over the Internet. 

The FIDO2 authentication process eliminates the traditional threats that come with using a login username and password, replacing it with the FIDO2 login standard. As such, it protects against common online attacks such as phishing and man-in-the-middle attacks.

In May of 2022, Apple, Google, and Microsoft announced their support for the new set of standards for passwordless authentication. Popularly referred to as “passkeys” by vendors, this new “multi-device FIDO credential” scheme garnered significant attention due to the fact that credentials could survive a device loss.

A passkey is the same as a FIDO key in the essence that the passkey is generated once the user verifies their identity. These passkeys consist of a public and private key pair with end-to-end encryption that secures credentials when syncing across different devices.

How Does FIDO2 Work?

The FIDO2 protocol uses public-key cryptography to guarantee a secure and convenient authentication system. The FIDO2 standard uses a private and public passkey to validate each user’s identity to achieve this. To use FIDO2 authentication, you’ll have to sign up for it at FIDO2-supported services. 

So, how does this look in practice? Here’s a quick FIDO2 example that illustrates how the FIDO2 protocol works:

  1. When the user attempts a FIDO2 login into an app, the FIDO2 server uses WebAuthn to send a challenge to the FIDO client, requiring it to sign the data with the private FIDO2 key.
  2. The user then uses the previously set up authentication method to answer this request. During this process, the domain of the FIDO2 server is checked to ensure it is the correct one that was used earlier during registration. This extra step of FIDO2 implementation ensures strong phishing resistance.
  3. The FIDO client obtains the private FIDO key from the authenticator. This can be either through a FIDO passkey, a physical security key, or a mobile app.
  4. The FIDO client then signs the challenge to prove its validity, and the user gains access to the platform or service.

While the world’s biggest platforms like Apple, Google, and Microsoft are championing FIDO, they aren’t the only driving force behind the FIDO Alliance and are collaborating alongside hundreds of companies all over the world to make simpler, stronger authentication a reality. 

To set up passwordless sign-ins, you have to go through a few setup steps:

  • You have to fill out the appropriate registration form and choose a FIDO2 authenticator (either a FIDO2 device or a trusted platform module).
  • The service will generate a FIDO2 authentication key pair.
  • Your FIDO2 authenticator sends the public key to the service, while the private key containing sensitive information stays on your device.
FIDO authentication flow

FIDO Authentication Flow

Once the secure communication path is enabled, the setup credentials are stored permanently, allowing for later logins. What’s especially important to remember for this secure web log-in process is that you don’t exchange any secrets with the servers. The crucial piece of information, which is your FIDO2 security key, always remains on your device.

Of course, it’s also essential to remember that these FIDO passkeys are just a step in the process, not the be-all and end-all solution. Organizations should consider that FIDO is still evolving, and it’s crucial to stay up to date with future changes and adaptations.

FIDO2 Authentication Use Cases

So, how does FIDO2 affect the overall user experience through real-life examples? Even more important for the average user, in what form can you implement it in your day-to-day life? Let’s take a closer look at how you can implement FIDO2 passwordless login in different forms:

1. Platform authenticators

These types of authenticators are generally not removable from the client device, as they are already built into the device. In other words, no other external device is engaged in the authentication process. This makes them very convenient for repeat authentications.

FIDO Platform Authentication

Example of Platform Authentication

2. Cross-platform authenticators.

Also known as roaming authenticators, these are external device servers that are removable and can be used across different devices. With cross-platform authentication, an external Bluetooth/NFC device or a physical security key like the Hideez Key can be used as authenticators. The main perk of cross-platform authenticators is streamlining the process of authentication from new devices.

FIDO2 cross-platform authentication
Example of Cross-Platform Authentication

FIDO2 vs. U2F - What is the Difference?

Now that we understand how FIDO2 authentication works, it’s also useful to do a FIDO2 vs. FIDO U2F comparison to determine the difference. The most significant difference between the two is that the former was created to allow all authentication to become passwordless. On the contrary, FIDO U2F was designed to serve as a second factor for passwords.

FIDO2 and U2F Websites and Services

To expand on this, with the release of FIDO2, U2F has effectively been merged into FIDO2. It was relabeled as CTAP1, serving as a strong second factor for user login. CTAP1 enables the use of existing U2F devices to work as authentication clients on FIDO2-enabled systems.

Moreover, with the release of FIDO2, CTAP2 became the new standard along with WebAuthn. A modern authenticator using CTAP2 is also known as a FIDO2 authentication. In the same breath, if the FIDO2 authenticator also includes CTAP1, it will also be backward compatible with standard U2F authentication.

FIDO2 Advantages and Disadvantages

FIDO2 Advantages

The most significant advantage of FIDO2 authentication is that it creates a much smaller attack window for cybercriminals. To access your sensitive private information, attackers will need a FIDO2 authenticator, which is physically always by your side in the form of your device or your biometrics.

If you use several FIDO2-supported sites, you’ll enjoy another advantage in the form of a more streamlined experience, as you won’t have to remember multiple login details and passwords for each of your accounts. The FIDO2 U2F security key will work across the board for all supported platforms, offering maximum security and user comfort.

FIDO2 Disadvantages

Of course, like any other security method in the world, the FIDO2 standard does have certain disadvantages. These drawbacks aren’t deal-breakers but are something you should be aware of if you plan on implementing the FIDO2 passwordless login as a security practice.

Most notably, this standard requires an additional security step compared to traditional password login standards if you use it as a regular component of two-factor authentication. With that in mind, such a system isn’t the most practical one if you log into more FIDO2-enabled security keys several times each day. 

Additionally, since this authentication method still isn’t well spread out, there are not many FIDO2-supported security keys at the moment, though the number of FIDO-enabled platforms and browsers is constantly growing. For example, you can enable passwordless sign-in with Facebook, Twitter, Google, Dropbox, GitHub, and more than 300 other services that support FIDO2 or FIDO U2F.

FIDO2 Supported browsers

FIDO Platform/ Browser Support from FIDO Alliance

Getting started with FIDO2 authentication

Cyber-attacks have shown us that the human risk factor is a significant aspect of cybersecurity breaches. With FIDO2 implementation and passwordless authentication, the human risk factor is eliminated, allowing for a much safer user experience. FIDO2 implementation fits perfectly into a zero-trust security framework. Apart from being robust and complying with the strictest security policies, it provides a convenient user experience

Big tech companies such as Microsoft, Google, and Apple are already supporting FIDO security key options. Although this form of secure login is still in its relatively early stages, one thing is sure - passwordless authentication is the future.

For the highest levels of security and convenience, Hideez offers a passwordless authentication system for organizations. It allows every organization to deploy a personal FIDO2 server that will enable a passwordless experience for all employees at no cost. It can be configured to work with any web services, even those not supporting FIDO protocols by default. 

Every user will be able to choose a preferred authentication method: either passkeys (personal devices), a mobile app that turns a smartphone into a FIDO key, or a physical security key. On top of that, physical keys offer additional features such as proximity-based PC login and logout, password-based access to legacy systems, OTP generation, and physical access to buildings based on RFID technology. The complex design of the Hideez Key ensures both convenience and protection thanks to a unique set of features:

  • Password-based Digital Access - This feature of the Hideez Key provides a great user experience across the board. You can use the key to lock or unlock your Windows 10 PC by proximity and generate new complex passwords and one-time passwords for two-factor authentication. Moreover, you can store up to 1,000 logins and passwords from your existing accounts and ensure their secure autofill. This also includes password-protected local folders, PDF, Word, ZIP files, and any other documents you want to keep safe.
  • Passwordless Access - The device also supports FIDO U2F and FIDO2, the two open authentication standards aimed at reducing the world’s over-reliance on passwords. It means that the Hideez Key can be used for passwordless authentication and 2FA on FIDO-supported browsers and platforms (Google and Microsoft services, Facebook, Twitter, Dropbox, Azure AD, etc.), the number of which is growing steadily. The Hideez Key wirelessly supports FIDO authentication on Windows 10 and Android 8+ devices via Bluetooth Low Energy (BLE) technology.  
  • Proximity logon - A built-in proximity lock will protect your computer every time you walk away. Using the Hideez Key, you can automatically lock and unlock your Windows workstation based on the Bluetooth strength between the key and your PC. You can tailor and customize how you want to lock it by adjusting preferable proximity thresholds and choosing the unlocking method.
  • Physical Access - Besides digital access, the Hideez Key also provides convenient physical access. A built-in RFID tag can be pre-programmed to open any RFID door lock at office buildings, data centers, factories, etc., thus replacing a smart card.
  • Strengthened Protection - The Hideez Key provides enhanced protection against both phishing and pharming, as well as all other password-related attacks. Plus, unlike most other password managers, the Hideez Key doesn’t send any credentials into the cloud or to any third parties.

With the Hideez Service, every organization can go passwordless at $6 per user per month. Start a free 30-day trial to understand how it works and see the benefits of passwordless authentication in working environments.

Related Posts