Skip to main content

FIDO2 and passkeys

FIDO2 is an authentication technology that is defined by two standards, Web Authentication (WebAuthn) and Client-to-Authenticator Protocol (CTAP). The main values of FIDO2 are security, convenience, privacy, and scalability.

Authentication with FIDO2

FIDO2 overview

We implemented the FIDO2 technology in Authentication Cloud, so your users can log in securely with the built-in functions of their devices.

To use FIDO2, the device and the browser must support both the WebAuthn and the CTAP standards. The device can be a phone or a laptop with biometric options, or a physical security key. For more information, see Browsers and authenticators.

We recommend FIDO2 if the following are true for your business:

  • You do not want your users to install yet another app.
  • You require small transactions only, such as a login.
  • You prefer a solution based on open and secure standards, with wide support in the industry.
  • You do not want to invest in major technical development.

With FIDO2, you do not need an Access App or additional setup on the user side. The device is registered through the browser, and Authentication Cloud directly triggers the device for authentication. In response, the FIDO2-capable devices and their platforms provide the authentication infrastructure that you rely on.

Once registered, the devices are ready for simple login authentications using the biometric sensors on the device, as first or second factor, without a password.

For FIDO2 limitations, see the FIDO2 (WebAuthN / CTAP2) chapter in our blog post.

To learn more about FIDO2, visit the FIDO Alliance website.

Passkeys

Passkeys are passwordless FIDO credentials that provide a faster and more secure login experience than conventional authentication methods. These credentials are stored within secure areas and are discoverable by browsers and native mobile applications.

Passkeys have the following benefits:

  • More convenient user experience: passkeys replace passwords, and with autofill UI, no username is required either. Instead, users can authenticate themselves with the built-in functions of their device, such as fingerprint sensor, facial recognition, or PIN. Passkeys are automatically synchronized with end-to-end encryption between user devices through a cloud service, making them available for all user devices.
  • More secure authentication: passkeys are resistant to phishing, and because the credentials are stored on the user device and not on the server, a server data breach poses a lesser risk.
  • More cost-effective technology: passkeys act as multifactor authenticators in a single step. This means that you can reduce the cost of implementing second-factor authentication solutions, such as SMS OTPs.

For more information, see the Passkeys page of the FIDO Alliance website.

Autofill UI

Autofill UI is an optional FIDO2 feature for passkeys that can provide a smoother user experience. If this feature is implemented, users can authenticate transactions without providing their username, instead, the UI prompts the available passkeys for the relying party on the device. You can enable the autofill UI feature at the device registration step. For the prerequisites and supported browsers, see FIDO2 integration prerequisites and FIDO2 support matrix.

Registration and authentication flows

We created the following pages to guide you. If this is your first time here, we recommend you go in order.

  1. FIDO2 architecture-overview
  2. Integration prerequisites
  3. Browsers and authenticators
  4. Register a FIDO2 authenticator
  5. Authenticate with a FIDO2 authenticator