What is FIDO2?

What FIDO actually stands for

FIDO is short for "Fast IDentity Online." The FIDO Alliance was founded in 2013 by PayPal, Lenovo, Nok Nok Labs, and others, with the explicit goal of replacing passwords with something the industry could agree on. FIDO U2F (Universal Second Factor) shipped first, in 2014 — that was the spec behind early YubiKeys. FIDO2 followed in 2018 and is the current generation, encompassing both the browser side (WebAuthn, a W3C standard) and the device side (CTAP2, the Client to Authenticator Protocol).

Why public-key cryptography matters here

Passwords are shared secrets. The user knows the password and the server knows a hash of the password, and any time both ends agree on the secret, login succeeds. The catastrophic property of shared secrets is that anyone else who learns the secret can also log in — which is why credential stuffing, phishing kits, and database leaks are so devastating. FIDO2 uses public-key cryptography instead. The user's device holds a private key it never shares. The server holds the matching public key. Login is a challenge-response: the server sends a random challenge, the device signs it, the server verifies the signature against the stored public key. There is no shared secret to steal.

The phishing-resistance property

The reason FIDO2 cannot be phished is structural, not behavioral. When a credential is created, it is bound to the origin (the exact domain) of the site that registered it. When the user later authenticates, the browser tells the authenticator which origin is making the request, and the authenticator refuses to sign for any other origin. A phishing site at "g00gle.com" cannot produce a valid login at "google.com" because the user's key will not sign for the wrong origin — no matter how convincing the phishing page looks, no matter what the user clicks. The cryptographic protocol does what training and user vigilance cannot.

Hardware keys vs platform authenticators

FIDO2 supports two kinds of authenticators. Roaming authenticators are external — a YubiKey, a Titan key, a NitroKey, plugged in over USB or tapped over NFC — and travel with the user across devices. Platform authenticators are built in — Touch ID on a Mac, Face ID on an iPhone, Windows Hello, Android biometrics — and live in the device's secure enclave. Platform authenticators are what made FIDO2 mainstream: most users have one already, on a device they always carry. Hardware keys remain the gold standard for high-assurance environments (admin accounts, finance, government) where the additional physical-factor guarantee matters.

At QUANT LAB

Adding WebAuthn-based passkey support to a modern application is days of work, not weeks, and the security improvement over passwords is dramatic. We implement FIDO2 on our SaaS platforms with libraries like SimpleWebAuthn on the Node side, paired with a fallback that supports both passwordless and password-plus-passkey flows during the transition.

For clients in fintech, healthcare, and any environment where account takeover is a board-level risk, we recommend mandatory hardware keys for administrative accounts and passkey support for everyone else. Our pen testers see the cost of password-only auth every week — phishing remains the number-one initial-access vector in 2026. Book a call if you are scoping a passkey rollout.