East Bay Cyber
FAQs 5 min read

What is FIDO2?

What is FIDO2? FIDO2 is a modern authentication standard that enables phishing-resistant login using passkeys, biometrics, or security keys instead of relying only on passwords. In practical terms, FIDO2 explained means replacing shared secrets with public-key cryptography, so the website or app verifies a cryptographic credential rather than storing a reusable password that can be stolen and replayed.

Short answer

FIDO2 is an authentication standard for secure sign-in using passkeys, built-in device authenticators, or hardware security keys. It is designed to reduce password risk and improve resistance to phishing, credential theft, and account takeover.

How FIDO2 works

FIDO2 is built to solve a basic problem: passwords are easy to steal, reuse, phish, and brute-force.

Instead of relying on a shared secret, FIDO2 uses public-key cryptography. When you register with a service:

  • your device or security key creates a unique key pair
  • the private key stays on your device or authenticator
  • the public key is shared with the website or application

Later, when you sign in:

  • the service sends a cryptographic challenge
  • your authenticator signs that challenge with the private key
  • the service verifies the signature using the public key

The private key never leaves the device. That is the core security improvement behind FIDO2 vs password: there is no reusable shared secret being sent to the site.

What standards make up FIDO2?

FIDO2 is usually described as the combination of two technologies:

  • WebAuthn: the web standard that allows browsers and apps to support strong authentication
  • CTAP: the protocol that lets external authenticators, such as hardware security keys, communicate with devices

You do not need to memorize WebAuthn and CTAP to use FIDO2, but they explain how browsers, operating systems, and authenticators work together.

What can be a FIDO2 authenticator?

A FIDO2 authenticator can be:

  • a hardware security key
  • a phone
  • a laptop with built-in secure hardware
  • a platform authenticator tied to the operating system
  • a passkey synced across trusted devices, depending on the platform

In real use, FIDO2 often looks like:

  • touching a USB or NFC security key
  • approving sign-in with fingerprint or face unlock
  • using a passkey stored on a phone or computer

Why FIDO2 is phishing-resistant

FIDO2 is considered phishing-resistant authentication because it is bound to the legitimate site or app origin.

With passwords or SMS codes, an attacker can trick a user into entering credentials on a fake page, then replay those credentials against the real service. FIDO2 makes that much harder because the authenticator checks the real destination before responding.

That is why FIDO2 is strong against:

  • phishing pages
  • credential stuffing
  • password reuse
  • many account takeover attempts
  • some man-in-the-middle credential theft scenarios

It does not stop every possible threat, but it significantly reduces one of the most common ways attackers steal access.

For more on this topic, see /content/what-is-phishing-resistant-mfa.

FIDO2 vs passkeys vs security keys

These terms are related, but they are not identical.

FIDO2

FIDO2 is the overall authentication standard.

Passkeys

Passkeys are a user-friendly way to use FIDO-based credentials, often synced across trusted devices within a platform ecosystem. They make strong authentication easier for everyday users.

Security keys

Security keys are physical authenticators, often using USB, NFC, or Bluetooth, that store or protect the credential used for login.

So if someone says they use passkeys or a hardware key, they are often using FIDO2 underneath.

If you want a related primer, read /content/what-are-passkeys.

Where FIDO2 is used

FIDO2 can be used for:

  • workforce sign-in
  • privileged admin access
  • consumer website logins
  • VPN and remote access
  • cloud app authentication
  • passwordless login
  • stronger MFA flows

Organizations often roll it out first to high-risk users such as:

  • administrators
  • executives
  • developers
  • finance staff
  • help desk personnel
  • remote users

That approach makes sense because those users are common phishing targets.

Is FIDO2 passwordless?

It can be, but it does not have to be.

FIDO2 supports:

  • passwordless authentication
  • multi-factor authentication
  • step-up authentication

Some organizations use it to replace passwords entirely. Others use it as a stronger second factor while migrating away from older login methods.

Why organizations adopt FIDO2

Security teams often value FIDO2 because it can:

  • reduce phishing exposure
  • lower password reset volume
  • improve protection for remote access
  • strengthen security for privileged accounts
  • support zero trust identity strategies
  • reduce reliance on weak second factors like SMS

Users also tend to like it because it can be faster and less frustrating than typing passwords and one-time codes repeatedly.

What FIDO2 does not solve by itself

FIDO2 is strong, but it is not magic. You still need to protect:

  • account recovery workflows
  • device security
  • enrollment and provisioning
  • identity lifecycle management
  • privileged access policies

If account recovery is weak, or if an attacker compromises the endpoint itself, strong authentication alone may not be enough.

Common misconceptions

“FIDO2 is just another MFA app”

No. FIDO2 is not a code generator. It is a cryptographic authentication standard that uses device- or key-based credentials instead of shared secrets.

“FIDO2 and passkeys are completely different”

Not really. Passkeys are generally a user-friendly implementation of FIDO-based authentication. FIDO2 is the underlying standard.

“FIDO2 only works with hardware security keys”

No. Hardware keys are one option, but FIDO2 also works with platform authenticators built into phones, laptops, and tablets.

“If I use FIDO2, I cannot be attacked”

False. FIDO2 greatly improves resistance to phishing and credential theft, but you still need strong recovery, device protection, and access governance.

“FIDO2 is only for large enterprises”

No. FIDO2 is useful for enterprises, SMBs, and consumers. Any environment trying to reduce password risk can benefit from it.

Choosing a hardware key or password manager

If you are moving toward stronger authentication, a hardware security key can be useful for high-risk or admin accounts. Likewise, a password manager is still helpful in mixed environments where passwords have not been fully eliminated. 1Password may be useful for managing strong unique credentials while organizations transition toward passkeys and phishing-resistant login.

Final takeaway

What is FIDO2? It is a modern authentication standard that replaces reusable secrets with cryptographic credentials tied to the real site or app. That makes FIDO2 one of the most important building blocks for phishing-resistant authentication, whether you use passkeys, platform biometrics, or hardware security keys.

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.