FIDO/WebAuthn - Passwordless Authentication Standards

About 2 min read

FIDO (Fast IDentity Online) and WebAuthn are international standards for achieving authentication that does not rely on passwords. By combining the technical specifications developed by the FIDO Alliance with the WebAuthn API recommended as a web standard by the W3C, authentication based on public-key cryptography can be used from browsers and applications. With structural resistance to phishing and as a technology that solves the fundamental problem of password leakage, adoption is advancing across the entire industry.

The Founding of the FIDO Alliance and the Evolution of the Standards

In 2012, the FIDO Alliance was founded, led primarily by PayPal and Lenovo. At the time, password reuse and large-scale data breaches were occurring one after another, and the limitations of password authentication had become clear. The Alliance first published two standards in 2014. UAF (Universal Authentication Framework) enabled passwordless login via biometric authentication, while U2F (Universal 2nd Factor) enabled two-factor authentication using USB security keys.

A major turning point arrived in 2018. As the FIDO2 project, the W3C's WebAuthn API and the FIDO Alliance's CTAP (Client to Authenticator Protocol) were standardized. WebAuthn is the API specification on the browser side, while CTAP is the communication protocol with the authenticator (security keys and biometric devices). By combining these two, it became possible to use hardware authenticators directly from a web browser. And since 2022, the mechanism of cloud-syncing FIDO2 credentials as passkeys has spread, making it a technology within reach of ordinary users as well.

The Authentication Flow Based on Public-Key Cryptography

FIDO/WebAuthn authentication operates on a challenge-response scheme. In conventional password authentication, a "secret string" is sent to the server, but with FIDO the private key never leaves the device.

The decisive advantage of this scheme is that only the user's public key is stored on the server side. Even if the server is compromised, deriving the private key from the public key is computationally infeasible, so a data breach does not directly lead to the misuse of credentials.

How Phishing Resistance Works - Origin Verification

The biggest reason FIDO/WebAuthn is resistant to phishing is that origin (domain) verification is performed automatically at the time of authentication. The authenticator cryptographically includes the domain that issued the authentication request in the signature. Even if an attacker prompts the user for authentication on a fake site (e.g., examp1e.com), the credentials for the legitimate site (example.com) cannot be used on the fake site's origin. Even if the user is deceived into accessing the fake site, the fraud is detected at the authenticator level, so a phishing attack is structurally impossible. This is also an important advantage when considering the challenges of migrating to passkeys.

The Relationship with Passkeys

A passkey is one implementation form of FIDO2/WebAuthn. Technically it is the same public-key-cryptography-based authentication, but a passkey differs from conventional FIDO2 in that credentials can be synced to multiple devices via the cloud. Because conventional FIDO2 security keys are tied to a physical device, recovery upon loss was a challenge. Passkeys solve this problem and achieve seamless device-to-device syncing through iCloud Keychain and Google Password Manager. Combined with biometric authentication, the user experience has also improved dramatically.

Support Status and Practical Considerations

As of 2025, all major browsers - Chrome, Safari, Firefox, and Edge - support the WebAuthn API. At the OS level, Windows Hello, Touch ID / Face ID on macOS / iOS, and Android biometric authentication function as FIDO2 authenticators. In enterprise deployments, an increasing number of cases adopt hardware security keys such as YubiKey as a means of multi-factor authentication.FIDO2 security key guides on Amazon are also helpful references for implementation.

As a practical consideration, deploying WebAuthn also requires server-side support. You need to implement logic for generating challenges, storing public keys, and verifying signatures, and the use of libraries (such as SimpleWebAuthn and py_webauthn) is recommended. In addition, having a basic knowledge of encryption, especially understanding how public-key cryptography works, is helpful when troubleshooting. Grasping the risks of biometric authentication and the basics of two-factor authentication as well will give you a complete picture of authentication design.