What is FIDO2 and Web Authentication?

FIDO2 and WebAuthn mark an evolution of the FIDO U2F open authentication standard. They now enable strong passwordless authentication built on public key cryptography using hardware devices like security keys, mobile phones, and other built-in devices.

FIDO2 is an open authentication standard that consists of the W3C Web Authentication API (WebAuthn), and the FIDO2 Client to Authentication Protocol (CTAP). CTAP is an application layer protocol used for communication between a client (browser) or a platform (operating system) and an external authenticator (YubiKey 5). Yubico, Microsoft and Google are the core contributors to the W3C WebAuthn and FIDO2 CTAP2 specifications.

Like U2F, the FIDO2 standard offers the same high level of security, as it is based on public key cryptography and is intended to solve additional user scenarios including first factor (passwordless) and multi-factor authentication. With these new capabilities, the hardware security key can entirely replace weak static username/password credentials with strong hardware-backed public/private-key credentials. These credentials can not be reused, replayed or shared across services, and are not subject to phishing and MiTM attacks or server breaches.

FIDO2/WebAuthn Advantages

Strong security

Replaces weak passwords with strong hardware-based authentication using public key crypto to protect against phishing, session hijacking, man-in-the-middle, and malware attacks.

Privacy Protection

A FIDO2 authenticator generates a new pair of keys for every service, and the service stores only the public key. With this approach, no secrets are shared between service providers.

Multiple choices

Open standards provide flexibility and product choice. Designed for existing phones and computers, for many authentication modalities, and with different communication methods (USB and NFC).

Cost-efficient

Hardware authenticators are affordable and available for purchase online. Yubico offers free and open source server software for back-end integration.

Layered approach

For organizations requiring a higher level of authentication security, FIDO2 supports use of a hardware authentication device with a PIN, biometric or gesture for additional protection.

How it works

The following diagrams show the basic FIDO2/WebAuthn user flows:

Registration sequence diagram

index__1.png

Authentication sequence diagram

index__2.png

Implementing

The Yubico Developer Program provides resources to enable rapid implementation of strong authentication. Resources include workshops, documentation, implementation guides, APIs, and SDKs. Sign up to receive updates for our early access to the resources for implementing the FIDO2 and Web Authentication specifications.

Sign up now for the Yubico Developer Program.

Attestation certificates

All Yubico FIDO devices use attestation certificates signed by the following root CA: Yubico FIDO CA.

Note
If you have a YubiKey Preview device, the attestation certificate will instead be signed by our Preview CA: Yubico FIDO Preview CA.