FIDO2 and passkeys
FIDO2 is an authentication technology that is defined by two standards, Web Authentication (WebAuthn) and Client-to-Authenticator Protocol (CTAP). The main values of FIDO2 are security, convenience, privacy, and scalability.
FIDO2 overview
We implemented the FIDO2 technology in Authentication Cloud, so your users can log in securely with the built-in functions of their devices.
To use FIDO2, the device and the browser or native app must support both the WebAuthn and the CTAP standards. The device can be a phone or a laptop with biometric options, or a physical security key. For more information, see Browsers and authenticators.
We recommend FIDO2 if the following are true for your business:
- You do not want your users to install yet another app.
- You prefer a solution based on open and secure standards, with wide support in the industry.
- You do not want to invest in major technical development.
With FIDO2, you do not need an Access App or additional setup on the user side. The device is registered through the browser or native app, and Authentication Cloud directly triggers the device for authentication. In response, the FIDO2-capable devices and their platforms provide the authentication infrastructure that you rely on.
Once registered, the devices are ready for simple login authentications using the biometric sensors on the device, as first or second factor, without a password.
For FIDO2 limitations, see the FIDO2 (WebAuthN / CTAP2) chapter in our blog post.
To learn more about FIDO2, visit the FIDO Alliance website.
Passkeys
Passkeys are passwordless FIDO credentials that provide a faster and more secure login experience than conventional authentication methods. These credentials are stored within secure areas and are discoverable by browsers and native mobile applications.
Passkeys have the following benefits:
- More convenient user experience: passkeys replace passwords, and with autofill UI, no username is required either. Instead, users can authenticate themselves with the built-in functions of their device, such as fingerprint sensor, facial recognition, or PIN. Passkeys are automatically synchronized with end-to-end encryption between user devices through a cloud service, making them available for all user devices.
- More secure authentication: passkeys are resistant to phishing, and because the credentials are stored on the user device and not on the server, a server data breach poses a lesser risk.
- More cost-effective technology: passkeys act as multifactor authenticators in a single step. This means that you can reduce the cost of implementing second-factor authentication solutions, such as SMS OTPs.
For more information, see the Passkeys page of the FIDO Alliance website.
Autofill UI
Autofill UI is an optional FIDO2 feature for passkeys that can provide a smoother user experience. If this feature is implemented, users can authenticate transactions without providing their username, instead, the UI prompts the available passkeys for the relying party on the device. You can enable the autofill UI feature at the device registration step. For the prerequisites and supported browsers, see FIDO2 integration prerequisites and FIDO2 support matrix.
Related origin requests
Passkeys are normally tied to a specific website, which means that a single passkey cannot be used across related websites. The Related Origin Requests (ROR) feature solves this problem by allowing websites to specify origins that are allowed to use their relying party ID. This means, that if you host your web application on multiple branded or country-specific domains, you can allow your users to reuse the same passkey when moving between specified domains. For more information about configuring Related Origin Requests for your web application, see passkeys.dev.
Registration and authentication flows
We created the following pages to guide you. If this is your first time here, we recommend you go in order.