Overview
FIDO2 is an open authentication standard developed by the FIDO Alliance and W3C that enables passwordless, phishing-resistant authentication through public key cryptography. The standard comprises two specifications: WebAuthn (the browser/platform API) and CTAP (Client to Authenticator Protocol, for external authenticators). Unlike passwords, FIDO2 credentials cannot be phished, replayed, or leaked in server breaches—the private key never leaves the authenticator, and credentials are origin-bound, preventing their use on malicious lookalike sites. FIDO2 is now supported by all major browsers, operating systems, and a growing ecosystem of applications and identity providers. Organizations implementing FIDO2 report dramatic reductions in account takeover incidents and help desk costs, while users appreciate the simpler authentication experience compared to passwords and traditional MFA.
Architecture & Reference Patterns
Pattern 1: Platform Authenticator with Device-Bound Keys
Users authenticate via built-in platform authenticators (Windows Hello, Touch ID, Face ID, Android biometrics). Private keys are stored in the device's secure element (TPM, Secure Enclave) and never leave the device. Best for organizations with managed devices where platform authenticator availability can be ensured. Provides seamless UX but requires per-device registration.
Pattern 2: Roaming Authenticator (Security Keys)
External hardware security keys (YubiKey, Google Titan, Feitian) provide portable FIDO2 authentication across devices. Users carry the key and can authenticate on any WebAuthn-capable browser. Essential for shared workstations, privileged users, and backup authentication. Higher security assurance but requires hardware provisioning and replacement logistics.
Pattern 3: Synced Passkeys via Platform Ecosystems
Modern passkey implementations sync FIDO2 credentials across devices within platform ecosystems (iCloud Keychain, Google Password Manager, Microsoft Authenticator). Users get passwordless authentication without per-device registration. Simplifies deployment but introduces platform provider as a trust dependency. See Passkeys topic for detailed guidance.
Pattern 4: FIDO2 as MFA Second Factor
FIDO2 serves as a phishing-resistant second factor alongside password authentication, replacing TOTP or SMS OTP. Provides immediate security improvement without full passwordless transition. Good starting point for organizations not ready for full passwordless, but doesn't eliminate password-related risks entirely.
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Authenticator type | Platform only, roaming only, both | Both—platform for daily use, roaming for privileged/backup | Single authenticator type creates single points of failure |
| Passkey sync policy | Allow sync, require device-bound, user choice | Allow sync for general users; require device-bound for privileged | Device-bound is more secure; sync is more usable |
| Attestation requirement | None, self-attestation, full attestation | Full attestation for regulated environments; none for consumer | Attestation verification adds complexity but enables policy |
| User verification mode | Required, preferred, discouraged | Required for high-security; preferred for balance | Discouraged skips biometric/PIN—rarely appropriate |
| Resident key requirement | Required, preferred, discouraged | Preferred—enables username-less login without mandating | Required creates storage limits on some authenticators |
| Recovery mechanism | Additional authenticators, recovery codes, admin reset | Multiple registered authenticators + admin reset | Single authenticator with no recovery = user lockouts |
Implementation Approach
Phase 0: Discovery
Inputs: Current authentication methods, device landscape, user population, security requirements, application compatibility Outputs: FIDO2 capability assessment (browsers, platforms, IdP support), device inventory with platform authenticator availability, application WebAuthn support assessment, security key deployment feasibility, user readiness assessment
Phase 1: Design
Inputs: Discovery outputs, security requirements, user experience requirements Outputs: FIDO2 architecture document, authenticator policy (type, attestation, user verification), registration and recovery flow design, security key procurement and distribution plan, phased rollout strategy
Phase 2: Build & Integrate
Inputs: Design documents, IdP WebAuthn configuration, security keys (if applicable), test applications Outputs: IdP configured for FIDO2, registration flows tested across platforms, recovery procedures validated, security key inventory and distribution process operational, monitoring configured
Phase 3: Rollout
Inputs: Tested configuration, pilot group, communication plan, help desk training Outputs: Pilot completed with feedback incorporated, broader rollout with adoption incentives, help desk equipped for FIDO2 support, security keys distributed (if applicable), adoption metrics tracked
Phase 4: Operate
Inputs: Production FIDO2 environment, monitoring dashboards, operational procedures Outputs: Adoption metrics maintained, authenticator lifecycle managed (lost/replaced), security key inventory maintained, continuous improvement based on user feedback, eventual password deprecation planning
Deliverables
- FIDO2 architecture and policy document
- Authenticator selection guidance for users
- Registration flow documentation with screenshots per platform
- Recovery procedure documentation
- Security key provisioning and distribution procedures (if applicable)
- Help desk runbook for FIDO2 issues
- User communication and training materials
- Adoption tracking dashboard
Risks & Failure Modes
| Risk | Likelihood | Impact | Early Signals | Mitigation |
|---|---|---|---|---|
| Lost authenticator with no backup causes lockout | M | H | Users reporting lockouts, help desk escalations | Require multiple authenticators, clear recovery procedures |
| Platform authenticator unavailable on user devices | M | M | Registration failures, low adoption in segments | Offer roaming authenticator alternative, check device compatibility |
| Attestation requirements block legitimate authenticators | L | M | Registration failures for specific devices | Carefully scope attestation requirements, test broadly |
| Passkey sync provider compromise | L | H | Provider security incident | Device-bound keys for privileged, monitor provider security |
| WebAuthn implementation bugs cause failures | M | M | Browser/platform specific failures, error reports | Test across all supported platforms, monitor for issues |
| User confusion during registration | H | M | Failed registrations, support tickets | Clear UX design, user education, help desk training |
KPIs / Outcomes
- FIDO2 enrollment rate: Target 90%+ of eligible users
- Phishing-resistant authentication coverage: Percentage of authentications using FIDO2
- Account takeover incidents: Should approach zero for FIDO2-protected accounts
- Authentication success rate: Target over 99% for enrolled users
- Help desk tickets for authentication: Should decrease compared to password + MFA
- User satisfaction: Survey scores should show improved authentication experience