Core Technologies
WebAuthn (Web Authentication API):
- W3C web standard that defines the browser API for FIDO2 authentication
- Enables websites and applications to authenticate users using cryptographic credentials
- Provides JavaScript APIs for registration and authentication operations
- Supported by all major browsers (Chrome, Firefox, Safari, Edge)
- Handles the communication between relying parties (websites) and authenticators
CTAP (Client to Authenticator Protocol):
- CTAP2: The protocol that enables external authenticators (USB security keys, NFC devices, Bluetooth authenticators) to communicate with client platforms (browsers, operating systems)
- CTAP1: Backwards compatible with the legacy FIDO U2F protocol for existing security keys
- Defines how authenticators register credentials and create authentication assertions
- Supports various transport mechanisms: USB, NFC, Bluetooth Low Energy (BLE)
Authenticator Types
Platform Authenticators:
- Built into devices (Windows Hello, Touch ID, Face ID, Android biometrics)
- Use device's secure element (TPM, Secure Enclave) to store private keys
- Provide seamless user authentication through biometrics or device PINs
- Form the foundation for FIDO2 Passkeys
Roaming Authenticators:
- External hardware security keys (YubiKey, Titan Security Key, Feitian)
- Portable across multiple devices and platforms
- Often provide physical attestation for high-security scenarios
- Can serve as backup authentication methods
Relationship to Other Technologies
- FIDO2 Passkeys: User-facing implementation of FIDO2 credentials that can sync across devices (multidevice passkeys) or remain device-bound
- FIDO U2F: Legacy second-factor authentication standard, supported through CTAP1 for backwards compatibility
- UAF (Universal Authentication Framework): Earlier FIDO specification focused on first-factor biometric authentication
Key Advantages of FIDO2:
- Strong Authentication: Cryptographic credentials resistant to phishing, password reuse, and credential theft
- Passwordless Experience: Eliminates passwords entirely or reduces reliance on them as secondary factors
- Attestation Support: Authenticators can cryptographically prove their authenticity and security characteristics
- Interoperability: Open standards ensure compatibility across platforms, browsers, and service providers
- Privacy Protection: Credentials are scoped to individual relying parties, preventing cross-site tracking
- Scalability: Supports both consumer and enterprise deployments with varying security requirements
Key Challenges of FIDO2:
- Adoption and Support: Requires coordinated implementation by service providers, browsers, and authenticator manufacturers
- User Education: Users need guidance on choosing between platform authenticators, roaming authenticators, and passkey types
- Legacy System Integration: Retrofitting FIDO2 authentication into existing identity infrastructure may require significant effort
- Account Recovery: Organizations must implement robust recovery mechanisms for lost or inaccessible authenticators
- Cross-Platform Complications: While improving, cross-platform experiences (e.g., using iOS device to authenticate on Windows) can be complex
- Enterprise Management: Large organizations need tools for provisioning, managing, and revoking FIDO2 credentials at scale
- Regulatory Compliance: Handling biometric data and attestation information requires adherence to privacy regulations (GDPR, CCPA)