CONCEPT Cited by 1 source

FIDO2 / WebAuthn

Definition

FIDO2 is an umbrella standard family from the FIDO Alliance for phishing-resistant public-key authentication. Its two normative components are:

• WebAuthn — W3C browser API for relying parties to register and authenticate users against an authenticator. Defines the JavaScript API, the signed assertion format, and — critically — the requirement that assertions bind to the origin of the calling web page.
• CTAP2 (Client-to-Authenticator Protocol) — the transport protocol between the browser/platform and an external authenticator (security key over USB/NFC/BLE), or a platform authenticator (TPM / Secure Enclave / TEE).

Together they define a public-key-only authentication model:

• No shared secret on the server. The relying party stores public keys. A server breach leaks no credentials.
• Private key never leaves the authenticator. It's sealed in hardware on security keys or in the platform's secure element on phones/laptops.
• Assertions are origin-bound. See concepts/origin-bound-credential — the single load-bearing property that defeats reverse-proxy phishing.

Passkeys are FIDO2

Passkeys are the user-facing re-branding of FIDO2 credentials that can be synchronised across a user's devices (via iCloud Keychain, Google Password Manager, 1Password, etc.) and recovered if the device is lost. They are the consumer/B2B-friendly wrapper around the same cryptographic primitive. See concepts/passkey-authentication for the product-side treatment.

Why it matters on this wiki

FIDO2/WebAuthn is the production realisation of phishing-resistant authentication on the web. Every time the wiki references phishing-resistant MFA, FIDO2 is the implementation assumption:

"What you're supposed to do instead is use phishing-resistant authentication. This is almost the whole backstory for U2F, FIDO2 and Passkeys." (Source: sources/2025-10-08-flyio-kurt-got-got)

U2F is the first-generation FIDO protocol (pre-FIDO2, security- key-only, no user-handle-side credential storage). FIDO2 is the superset that added resident-key support (keys that don't need a username typed first) and platform-authenticator support (phones/laptops as the authenticator).

Seen in

• Fly.io Kurt Got Got (2025-10-08) — FIDO2/WebAuthn/Passkeys named as the mechanism behind phishing-resistant MFA; Fly.io moves their Twitter account onto Passkeys post-incident (sources/2025-10-08-flyio-kurt-got-got).
• Cloudflare EmDash (2026-04-01) — Passkey-by-default CMS launch cites the same WebAuthn/FIDO2 substrate (sources/2026-04-01-cloudflare-emdash-wordpress-spiritual-successor).

Related

• concepts/phishing-resistant-authentication — the property FIDO2 provides.
• concepts/origin-bound-credential — the cryptographic primitive inside WebAuthn.
• concepts/passkey-authentication — the synchronised- credential product form.