Identity term · last reviewed 2026-07-07
FIDO2
Also known as: FIDO2 / WebAuthn
FIDO2 is the FIDO Alliance's open-standard set for phishing-resistant, passwordless authentication with public-key cryptography, comprising the WebAuthn browser API and the CTAP authenticator protocol.
How it works
FIDO2 is the umbrella set of open standards from the FIDO Alliance that enables phishing-resistant, passwordless authentication with public-key cryptography. It has two halves: WebAuthn, the browser and JavaScript API standardized by the W3C, and CTAP (Client to Authenticator Protocol), which lets a browser talk to an external authenticator such as a security key. In a FIDO2 credential, the private key never leaves the authenticator hardware, and every authentication signs a server-issued challenge bound to the real origin, so there is no shared secret to steal and no lookalike site can replay it.
When it matters
FIDO2 matters when you want authentication that phishing simply cannot defeat, which OTP-based MFA cannot promise. It underpins both hardware security keys (YubiKey and peers) and passkeys, the consumer-friendly synced credentials. If you are implementing passwordless login, FIDO2 is the standard you are building on, usually by calling WebAuthn. See Implement Passkeys / WebAuthn and fidoalliance.org.
Common misconceptions
- "FIDO2, WebAuthn, and passkeys are competitors." They are layers of one system: FIDO2 is the umbrella, WebAuthn is the API, a passkey is a discoverable FIDO2 credential.
- "FIDO2 needs a hardware key." Platform authenticators (Touch ID, Windows Hello) are FIDO2 too; no separate dongle required.
- "It is only for high-security enterprises." Passkeys bring FIDO2 to mainstream consumer login.
Explained in depth