Trace Id is missing
Skip to main content
Microsoft Security

What is FIDO2?

Learn the basics of FIDO2 passwordless authentication, including how it works and helps protect individuals and organizations against online attacks.

FIDO2 defined

FIDO2 (Fast IDentity Online 2) is an open standard for user authentication that aims to strengthen the way people sign in to online services to increase overall trust. FIDO2 strengthens security and protects individuals and organizations from cybercrimes by using phishing-resistant cryptographic credentials to validate user identities.

FIDO2 is the latest open authentication standard developed by the FIDO Alliance, an industry consortium of Microsoft and other technology, commercial, and government organizations. The alliance released the FIDO 1.0 authentication standards—which introduced phishing-resistant multifactor authentication (MFA)—in 2014 and the latest passwordless authentication standard—FIDO2 (also called FIDO 2.0 or FIDO 2)—in 2018.

What are passkeys and how do they relate to FIDO2?

No matter how long or complex, or how often they’re changed, passwords can be compromised by being willingly or unwillingly shared. Even with a strong password protection solution, every organization is at some risk of phishing, hacking, and other cyberattacks in which passwords are stolen. Once in the wrong hands, passwords can be used to gain unauthorized access to online accounts, devices, and files.

Passkeys are FIDO2 sign-in credentials that are created using public key cryptography. An effective replacement for passwords, they increase cybersecurity while making signing in to supported web applications and websites more user friendly than traditional methods.

FIDO2 passwordless authentication relies on cryptographic algorithms to generate a pair of private and public passkeys—long, random numbers that are mathematically related. The key pair is used to perform user authentication directly on an end user’s device, whether a desktop computer, laptop, mobile phone, or security key. A passkey can be bound to a single user device or automatically synced across a user’s multiple devices through a cloud service.

How does FIDO2 authentication work?

FIDO2 passwordless authentication works by generally using passkeys as the first and primary factor for account authentication. In short, when a user registers with a FIDO2-supported online service, the client device registered to perform the authentication generates a key pair that works only for that web app or website.

The public key is encrypted and shared with the service, but the private key remains securely on the user’s device. Then, each time the user attempts to sign in to the service, the service presents a unique challenge to the client. The client activates the passkey device to sign the request with the private key and return it. This makes the process cryptographically protected from phishing.

Types of FIDO2 authenticators

Before the device can generate a unique FIDO2 set of passkeys, it must confirm that the user who is requesting access isn’t an unauthorized user or type of malware. It does this with an authenticator, which is a device that can accept a PIN, biometric, or other user gesture.

There are two types of FIDO authenticators:

Roaming (or cross-platform) authenticators

These authenticators are portable hardware devices that are separate from users’ client devices. Roaming authenticators include security keys, smartphones, tablets, wearables, and other devices that connect with client devices through the USB protocol or near-field communication (NFC) and Bluetooth wireless technology. Users verify their identities in a variety of ways, such as by plugging in a FIDO key and pressing a button or by providing a biometric, such as a fingerprint, on their smartphone. Roaming authenticators are also known as cross-platform authenticators because they allow users to authenticate on multiple computers, anytime, anywhere.

Platform (or bound) authenticators

These authenticators are embedded in users’ client devices, whether a desktop, laptop, tablet, or smartphone. Comprising biometric capabilities and hardware chips for protecting passkeys, platform authenticators require the user to sign in to FIDO-supported services with their client device then authenticate through the same device, generally with a biometric or a PIN.

Examples of platform authenticators that use biometric data include Microsoft Windows Hello, Apple Touch ID and Face ID, and Android Fingerprint.

How to register and sign in to FIDO2-supported services:

To take advantage of the increased security that FIDO2 authentication offers, follow these basic steps:

How to register for a FIDO2-supported service:

  • Step 1: When registering with a service, you’ll be prompted to choose a supported FIDO authenticator method.

  • Step 2: Activate the FIDO authenticator with a simple gesture that the authenticator supports, whether entering a PIN, touching a fingerprint reader, or inserting a FIDO2 security key.

  • Step 3: Once the authenticator is activated, your device will generate a private and public key pair that is unique to your device, account, and the service.

  • Step 4: Your local device securely stores the private key and any confidential information pertaining to the authentication method, such as your biometrics data. The public key is encrypted and, along with a randomly generated credential ID, registered with the service and stored on its authenticator server.

How to sign in to a FIDO2-supported service:

  • Step 1: The service issues a cryptographic challenge to confirm your presence.

  • Step 2: When prompted, perform the same authenticator gesture used during account registration. Once you have confirmed your presence with the gesture, your device will then use the private key stored locally on your device to sign the challenge.

  • Step 3: Your device sends the signed challenge back to the service, which verifies it with the securely registered public key.

  • Step 4: Once finished, you’re logged in.

What are the benefits of FIDO2 authentication?

The benefits of FIDO2 passwordless authentication include greater security and privacy, user-friendly experiences, and improved scalability. FIDO2 also reduces workloads and costs associated with access management.
  • Increases security

    FIDO2 passwordless authentication significantly boosts login security by relying on unique passkeys. With FIDO2, hackers can’t easily gain access to this sensitive information through phishing, ransomware, and other common acts of cybertheft. Biometric and FIDO2 keys also help eliminate vulnerabilities in traditional multifactor authentication methods, such as sending one-time passcodes (OTPs) through text messages.

  • Enhances user privacy

    FIDO authentication strengthens user privacy by securely storing private cryptographic keys and biometric data on user devices. In addition, because this method of authentication generates unique key pairs, it helps prevent service providers from tracking users across sites. Also, in response to consumer concerns around potential misuse of biometric data, governments are enacting privacy laws that prevent organizations from selling or sharing biometric information.

  • Promotes ease of use

    With FIDO authentication, individuals can quickly and conveniently authenticate their identities using FIDO2 keys, authenticator apps, or fingerprint readers or cameras embedded in their devices. Although users must perform a second or even third security step (such as when more than one biometric is required for identity verification), they save themselves the time and hassle associated with creating, memorizing, managing, and resetting passwords.

  • Improves scalability

    FIDO2 is an open, license-free standard that enables businesses and other organizations to scale passwordless authentication methods worldwide. With FIDO2, they can deliver secure, streamlined sign-in experiences to all employees, customers, and partners regardless of their chosen browser and platform.

  • Simplifies access management

    IT teams no longer need to deploy and manage password policies and infrastructure, reducing costs and freeing them to focus on higher-value activities. In addition, productivity among help desk personnel increases, as they don’t have to support password-based requests, such as resetting passwords.

What are WebAuthn and CTAP2?

The FIDO2 set of specifications has two components: Web Authentication (WebAuthn) and Client-to-Authenticator Protocol 2 (CTAP2). The main component, WebAuthn, is a JavaScript API that is implemented in compliant web browsers and platforms so that registered devices can perform FIDO2 authentication. The World Wide Web Consortium (W3C), the international standards organization for the World Wide Web, developed WebAuthn in partnership with the FIDO Alliance. WebAuthn became a formal W3C web standard in 2019.

The second component, CTAP2, developed by the FIDO Alliance, allows roaming authenticators, such as FIDO2 security keys and mobile devices, to communicate with FIDO2-supported browser and platforms.

What are FIDO U2F and FIDO UAF?

FIDO2 evolved from FIDO 1.0, the first FIDO authentication specifications released by the alliance in 2014. These original specifications included the FIDO Universal Second Factor (FIDO U2F) protocol and the FIDO Universal Authentication Framework (FIDO UAF) protocol.

Both FIDO U2F and FIDO UAF are forms of multifactor authentication, which requires two or three pieces of evidence (or factors) to validate a user. These factors can be something only the user knows (such as a passcode or PIN), possesses (such as a FIDO key or an authenticator app on a mobile device), or is (such as a biometric).

Learn more about these specifications:

FIDO U2F

FIDO U2F strengthens password-based authorization standards with two-factor authentication (2FA), which validates the user with two pieces of evidence. The FIDO U2F protocol requires an individual to provide a valid username and password combination as a first factor then use a USB, NFC, or Bluetooth device as a second factor, generally authenticating by pressing a button or keying in a time-sensitive OTP.

FIDO U2F is the successor to CTAP 1 and the predecessor to CTAP2, which allows individuals to use mobile devices in addition to FIDO keys as second-factor devices.

FIDO UAF

FIDO UAF facilitates multifactor passwordless authentication. It requires an individual to sign in with a FIDO-registered client device—which confirms the user’s presence with a biometric check, such as a fingerprint or face scan, or with a PIN—as a first factor. The device then generates the unique keypair as a second factor. A website or app can also use a third factor, such as a biometric or the user’s geographic location.

FIDO UAF is the predecessor to FIDO2 passwordless authentication.

How to implement FIDO2

Implementing the FIDO2 standard on websites and apps requires your organization to have modern hardware and software. Fortunately, all leading web platforms, including Microsoft Windows, Apple iOS and MacOS, and Android systems, and all major web browsers, including Microsoft Edge, Google Chrome, Apple Safari, and Mozilla Firefox, support FIDO2. Your identity and access management (IAM) solution must also support FIDO2 authentication.

In general, implementing FIDO2 authentication in new or existing websites and apps entails these key steps:

  1. Define the user login experience and authentication methods, and set access control policies.
  2. Create new or modify existing registration and sign-in pages with the appropriate FIDO protocol specifications.
  3. Set up a FIDO server to authenticate FIDO registration and authentication requests. The FIDO server can be a standalone server, integrate with a web or application server, or provided as an IAM module.
  4. Build new or modify existing authentication workflows.

FIDO2 and biometrics authentication

Biometric authentication uses a person’s unique biological or behavioral characteristics to confirm that the individual is who they claim to be. Biometric data is collected and converted into biometric templates that are only accessible with a secret algorithm. When the individual attempts to sign in, the system recaptures the information, converts it, and compares it with the stored biometric.

Examples of biometric authentication include the following:

Biological

  • Fingerprint scanning
  • Retina scanning
  • Voice recognition
  • DNA matching
  • Vein scanning

Behavioral

  • Touchscreen use
  • Typing speed
  • Keyboard shortcuts
  • Mouse activity

Biometrics authentication is a reality in today’s hybrid, digital workplaces. Employees like the fact that it gives them flexibility to quickly and securely authenticate wherever they choose. Businesses like that it significantly reduces their attack surface, discouraging cybercrimes that might otherwise target their data and systems.

Yet biometric authentication is not entirely hacker proof. For example, bad actors can use someone else’s biometric data, such as a photo or silicone fingerprint, to impersonate that individual. Or they can combine multiple fingerprint scans to create a primary scan that gives them access to several user accounts.

Other downsides to biometric authentication exist. Some facial recognition systems, for example, have an inherent bias against women and people of color. In addition, some organizations choose to store biometric data on database servers rather than on end-user devices, raising questions about security and privacy. Still, multifactor biometric authentication remains one of the most secure methods available today to verify user identities.

Examples of FIDO2 authentication

Security and logistical requirements for identity verification vary within and across organizations. The following are common ways that organizations in different industries implement FIDO2 authentication.
  • Banking, financial services, and insurance

    To protect sensitive business and customer data, employees who work in corporate offices often use company-provided desktops or laptops with platform authenticators. Company policy prohibits them from using these devices for personal use. On-site branch and call center employees frequently use shared devices and verify their identities using roaming authenticators.

  • Aviation and airlines

    Organizations in these industries must also accommodate individuals who work in different settings and have varying responsibilities. Executive, human resources, and other office-based employees often use dedicated desktops and laptops and authenticate either with platform or roaming authenticators. Airport gate agents, airplane mechanics, and crew members often use hardware security keys or authenticator apps on their personal smartphones to authenticate on shared tablets or workstations.

  • Manufacturing

    To ensure the physical security of manufacturing facilities, authorized employees and other individuals use roaming authenticators—such as FIDO2-enabled smartcards and FIDO2 keys—or registered personal smartphones with platform authenticators to unlock doors. In addition, product design teams often use dedicated desktops or laptops with platform authenticators to access online design systems that contain proprietary information.

  • Emergency services

    Government agencies and other emergency service providers can’t always authenticate paramedics and other first responders with fingerprint or iris scans. Often, these individuals are wearing gloves or eye protectors at the same time they need to quickly access online services. In these cases, they are instead identified through voice recognition systems. Emerging technologies for scanning ear shapes with smartphones can also be used.

Create peace-of-mind security with FIDO2

Passwordless authentication is quickly becoming a best practice for IAM. By embracing FIDO2, you know that you’re using a trusted standard to make sure that users are who they say they are.

To get started with FIDO2, carefully evaluate your specific organizational and industry requirements for identity verification. Then, streamline FIDO2 implementation with Microsoft Entra ID (previously known as Azure Active Directory). The passwordless methods wizard in Microsoft Entra ID simplifies management of Windows Hello for Business, the Microsoft Authenticator App, and FIDO2 security keys.

Learn more about Microsoft Security

Microsoft Entra ID (previously known as Azure Active Directory)

Protect access to resources and data using strong authentication and risk-based adaptive access.

Microsoft Entra Identity Governance

Increase productivity and strengthen security by automating access to apps and services.

Microsoft Entra Permissions Management

Manage permissions for any identity or resource across your multicloud infrastructure.

Microsoft Entra Verified ID

Confidently issue and verify workplace and other credentials with an open-standards solution.

Microsoft Entra Workload ID

Reduce risk by granting apps and services conditional access to cloud resources, all in one place.

Frequently asked questions

  • FIDO2 stands for (Fast IDentity Online 2), the latest open authentication standard released by the FIDO Alliance. Comprising Microsoft and other technology, commercial, and government organizations, the alliance seeks to eliminate the use of passwords over the World Wide Web.

    FIDO2 specifications includes Web Authentication (WebAuthn), a web API that allows online services to communicate with FIDO2 platform authenticators (such as fingerprint and facial recognition technologies embedded in web browsers and platforms). Developed by the World Wide Web Consortium (W3C) in partnership with the FIDO Alliance, WebAuthn is a formal W3C standard.

    FIDO2 also includes the Client-to-Authenticator Protocol 2 (CTAP2), developed by the alliance. CTAP2 connects roaming authenticators (such as external FIDO2 security keys and mobile devices) to FIDO2 client devices through USB, BLE, or NFC.

  • FIDO2 is an open, license-free standard for multifactor passwordless authentication in mobile and desktop environments. FIDO2 works by using public key cryptography instead of passwords to validate user identities, thwarting cybercriminals who attempt to steal user credentials through phishing, malware, and other password-based attacks.

  • The benefits of FIDO2 authentication include greater security and privacy, user-friendly experiences, and improved scalability. FIDO2 also simplifies access control for IT teams and help-desk staff by reducing workloads and costs associated with managing usernames and passwords.

  • A FIDO2 key, also called a FIDO2 security key, is a physical hardware device required for two-factor and multifactor authentication. Acting as a roaming FIDO authenticator, it uses USB, NFC, or Bluetooth to connect to a FIDO2 client device, allowing users to authenticate on multiple computers, whether in the office, at home, or in another setting.

    The client device verifies the user’s identity by asking the user to use the FIDO2 key to make a gesture, such as touching a fingerprint reader, pressing a button, or entering a PIN. FIDO2 keys include plug-in keys, smartphones, tablets, wearables, and other devices.

  • Organizations deploy FIDO2 authentication methods based on their unique security, logistical, and industry requirements.

    For example, banks and research-driven manufacturers often require office-based and other employees to use company-provided, for-business-use-only desktops and laptops with platform authenticators. Organizations with people on the go, such as airline crews and emergency response teams, instead often access shared tablets or workstations and then authenticate using security keys or authenticator apps on their smartphones.

Follow Microsoft Security