FIDO2 and WebAuthn
Technical overview of FIDO2/WebAuthn authentication covering key generation, origin binding, passkeys, attestation, and phishing resistance.
Continue your mission
Technical overview of FIDO2/WebAuthn authentication covering key generation, origin binding, passkeys, attestation, and phishing resistance.
# FIDO2 and WebAuthn
FIDO2 is an open authentication standard that eliminates passwords through cryptographic credentials bound to specific websites and applications. Developed by the FIDO Alliance in collaboration with the World Wide Web Consortium (W3C), FIDO2 consists of two complementary specifications: WebAuthn, which defines how web browsers and applications interact with authenticators, and CTAP2 (Client to Authenticator Protocol), which governs communication between client devices and external hardware authenticators.
FIDO2 exists because password-based authentication has three fundamental weaknesses that cannot be solved through incremental improvements. Passwords can be phished through social engineering or fake websites, replayed through credential stuffing attacks, and stolen from server databases during breaches. These vulnerabilities persist regardless of password complexity requirements, rotation policies, or multi-factor authentication overlays.
The standard addresses these weaknesses through origin binding, a security property that ties cryptographic credentials to the exact domain where they were created. A credential registered for login.example.com will only activate for that precise origin, making it useless to attackers operating phishing sites or compromised third-party services. This represents a fundamental shift from shared secrets (passwords) to cryptographic proof of possession, where authentication relies on demonstrating control of a private key rather than knowledge of a static value.
FIDO2 fits within the broader evolution toward zero trust architectures by making user authentication independent of network location, device trust, or perimeter controls. Organizations can enforce strong authentication for any user, from any device, accessing any application, without requiring specialized networking infrastructure or complex policy engines.
FIDO2 authentication operates through a registration and authentication cycle built on public key cryptography and challenge-response protocols. Understanding the technical mechanics requires examining both the initial setup process and the ongoing authentication flow.
During registration, the user navigates to a website or application that supports WebAuthn. The relying party (the website) generates a registration challenge containing a randomly generated string, the relying party identifier (typically the domain name), and user information such as username and display name. The browser passes this challenge to the authenticator through the WebAuthn API.
The authenticator, which can be a hardware security key, platform authenticator (like Windows Hello or Touch ID), or software-based passkey, generates a new public-private key pair specifically for this relying party. The private key is stored securely within the authenticator and never leaves the device. The public key, along with an attestation statement and other metadata, is returned to the relying party through the browser.
The relying party validates the registration response, stores the public key associated with the user account, and may optionally verify the attestation statement to confirm the authenticator model and capabilities. At this point, the user can authenticate to this service using their FIDO2 credential.
Authentication follows a similar challenge-response pattern. When the user attempts to log in, the relying party generates an authentication challenge containing a random string and sends it to the browser. The browser presents this challenge to the authenticator, which signs it using the private key previously generated for this relying party. The signed response is returned to the relying party, which verifies the signature using the stored public key.
User verification, the process of confirming the user's identity to the authenticator, varies by authenticator type. Hardware security keys typically require a physical touch or button press, though high-end models may include fingerprint sensors. Platform authenticators use device-native biometric systems like fingerprint readers, face recognition, or iris scanners. Software authenticators may prompt for device unlock credentials or biometric verification.
CTAP2 enables roaming authenticators that connect to client devices through USB, NFC, or Bluetooth Low Energy. A user can register a USB security key on their work laptop and subsequently use it to authenticate from any device that supports CTAP2, including mobile phones, tablets, or public computers. The security key performs all cryptographic operations internally, protecting the private key even on potentially compromised host devices.
Platform authenticators integrate with the device's secure hardware, such as Trusted Platform Modules (TPM) on Windows computers or Secure Enclave on Apple devices. These authenticators provide seamless user experiences since they are always available and use familiar biometric or PIN-based verification methods.
Passkeys represent a newer implementation approach where credentials can synchronize across devices through encrypted cloud storage. Apple's implementation synchronizes passkeys through iCloud Keychain across all devices signed into the same Apple ID. Google's approach uses the Android cloud backup system and Chrome sync. While this improves usability by eliminating the need to re-register authenticators on new devices, it trades the security property of non-exportable credentials for operational convenience.
Attestation provides cryptographic proof of the authenticator's make, model, and capabilities. During registration, the authenticator can include an attestation statement signed by the manufacturer's certificate. Relying parties can verify this statement to confirm they are communicating with a specific hardware model, enabling policies that require particular security characteristics. High-assurance environments may mandate FIPS 140-2 Level 2 certified hardware authenticators or specific vendor models with known security properties.
Cross-device authentication extends FIDO2 to scenarios where the authenticator and the device accessing the service are different. A user attempting to log in on a computer without FIDO2 capabilities can complete authentication using their smartphone as the authenticator, connected through QR code scanning or proximity-based protocols.
FIDO2 deployment fundamentally changes an organization's security posture by eliminating entire categories of attacks that traditional authentication methods cannot prevent. Organizations implementing FIDO2 see credential-based attacks drop to near zero for protected accounts because the underlying attack vectors no longer exist.
Phishing attacks, which account for over 80% of data breaches according to the Verizon Data Breach Investigations Report, become ineffective against FIDO2-protected accounts. Traditional phishing operates by tricking users into entering credentials on fake websites that visually mimic legitimate services. FIDO2 credentials are cryptographically bound to the origin domain and will not activate on phishing sites, regardless of how convincing the visual deception. The browser enforces this origin binding at the protocol level, making it impossible for users to accidentally authenticate to malicious sites.
Credential stuffing attacks, where attackers use previously breached passwords to access accounts across multiple services, become impossible when passwords are replaced with cryptographic credentials. Each FIDO2 credential is unique to its relying party and cannot be used elsewhere, even if the credential data is somehow exposed.
Server-side credential theft during database breaches becomes a non-issue because relying parties store only public keys, not authentication secrets. An attacker who compromises a server database and steals all stored FIDO2 public keys cannot use them to impersonate users, since authentication requires possession of the corresponding private keys that never leave the user's authenticator.
The business impact extends beyond direct security improvements. Organizations report significant reductions in password-related support costs, including account lockouts, password resets, and help desk tickets. Users cannot forget FIDO2 credentials the way they forget passwords, and the credentials do not expire or require rotation.
Compliance frameworks increasingly recognize FIDO2 as meeting multi-factor authentication requirements with a single gesture. Rather than requiring separate something-you-know (password) and something-you-have (SMS or app) factors, FIDO2 provides cryptographic proof of possession combined with user verification in a single authentication step.
However, organizations often misunderstand FIDO2 implementation requirements. The most common misconception is that FIDO2 requires expensive hardware rollouts. While dedicated security keys provide the highest security assurance, most modern devices already contain platform authenticators capable of supporting FIDO2. iPhones manufactured after 2018, Android devices running version 7.0 or later, and Windows computers with TPM 2.0 can function as FIDO2 authenticators without additional hardware.
Another misconception involves account recovery procedures. Organizations fear that lost or damaged authenticators will lock users out of their accounts permanently. Properly designed FIDO2 deployments include multiple recovery mechanisms, such as backup authenticators, administrator override procedures, and temporary credential issuance workflows.
The failure consequences of not implementing strong authentication continue to escalate. The average cost of a data breach involving compromised credentials exceeds $4 million according to IBM's Cost of a Data Breach Report, not including regulatory fines, legal fees, and long-term reputational damage. Organizations in regulated industries face additional compliance violations when breaches result from preventable authentication weaknesses.
CDA positions FIDO2 as the foundational technology for the IAT (Identity, Authentication, and Trust) domain within our Precision Defense Model. Our approach differs from conventional thinking by treating FIDO2 not as an additional security layer, but as a complete replacement for password-based authentication systems.
The Zero Possession Architecture methodology applies directly to FIDO2 implementation: trust nothing about the claimed identity until cryptographic proof is provided, possess nothing (no shared secrets or cached credentials), and verify everything through challenge-response protocols that prove current possession of private keys. This eliminates the trust assumptions inherent in password-based systems, where the server must trust that knowledge of a password indicates authorized access.
Our NAC (Nexus Access Card) system demonstrates this approach by using WebAuthn for hardware-bound identity verification combined with continuous authentication signals. Rather than treating authentication as a point-in-time event, NAC integrates FIDO2 with device posture assessment, location verification, and behavioral analytics to maintain dynamic trust levels throughout user sessions.
CDA's deployment methodology addresses the operational challenges that cause most FIDO2 implementations to stall in pilot phases. Our missions guide organizations through a four-phase approach: assessment of existing authentication infrastructure and user workflows, pilot deployment with high-value user groups, incremental expansion with fallback procedures, and full production rollout with legacy system decommissioning.
The assessment phase identifies applications, services, and user workflows that can immediately benefit from FIDO2 protection. Many organizations attempt to implement FIDO2 everywhere simultaneously and encounter resistance from legacy applications or specialized software that cannot easily integrate WebAuthn. Our approach prioritizes high-risk, high-value authentication scenarios such as administrative access, financial systems, and privileged user accounts.
Pilot deployment focuses on user groups with both high security requirements and technical sophistication, typically security teams, IT administrators, and executive users. This provides operational experience with FIDO2 workflows while building internal advocacy for broader deployment.
The expansion phase addresses the primary operational concern: account recovery when authenticators are lost, damaged, or unavailable. CDA advocates for multiple recovery mechanisms including backup authenticators, administrator-mediated temporary access, and emergency procedures that maintain security while ensuring business continuity.
Our perspective emphasizes that FIDO2 security properties depend on proper implementation choices. Organizations must decide whether to allow platform authenticators (which provide better user experience) or require dedicated hardware authenticators (which provide stronger security guarantees). They must determine attestation requirements, backup and recovery procedures, and integration approaches with existing identity management systems.
CDA differs from conventional thinking by rejecting hybrid approaches that maintain passwords alongside FIDO2. Many organizations implement FIDO2 as an additional factor while keeping passwords as the primary credential. This preserves all the security weaknesses that FIDO2 is designed to eliminate. Our approach treats FIDO2 as a complete replacement, using time-limited access codes or administrator intervention for recovery scenarios rather than password fallbacks.
• FIDO2 eliminates phishing through origin binding, making credentials unusable on any domain other than where they were registered, regardless of how convincing fake websites appear to users.
• Proper FIDO2 deployment requires planning for authenticator backup and account recovery scenarios, but should not rely on password fallbacks that reintroduce the security weaknesses FIDO2 is designed to eliminate.
• Most modern devices already contain platform authenticators capable of supporting FIDO2, making implementation possible without dedicated hardware purchases, though hardware security keys provide stronger security guarantees.
• Organizations see credential-based attacks drop to near zero for FIDO2-protected accounts because the fundamental attack vectors (phishing, credential stuffing, and server-side theft) no longer apply.
• Multi-Factor Authentication Implementation • Hardware Security Keys and TPM Integration • Zero Trust Architecture Deployment • Identity and Access Management Frameworks • Privileged Access Management
• NIST Special Publication 800-63B: Authentication and Lifecycle Management (2017) • FIDO Alliance: FIDO2 Specifications Overview and Implementation Guide (2023) • W3C Web Authentication (WebAuthn) Level 2 Specification (2021) • NIST Cybersecurity Framework 2.0: Authentication and Identity Verification (2024) • CISA: Implementing Phishing-Resistant Multi-Factor Authentication (2022)
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Editorial
Found an issue? Help improve this article.