FIDO2

FIDO2 -- Passwordless Authentication with Smart Card Security

FIDO2FIDO2StandardPasswordless authentication standard.Click to view → is an open authentication standard developed by the FIDO Alliance and the W3C that enables passwordless, phishing-resistant login using public-key cryptography. In the smart card context, FIDO2 is implemented in hardware security keys and secure elements that generate and store private keys on-device, ensuring credentials never leave the tamper-resistant chip.

Architecture: WebAuthn and CTAP2

FIDO2 comprises two complementary specifications. WebAuthn (W3C) is the browser/platform API that web applications call to request user authentication. CTAP2 (Client to Authenticator Protocol) defines the communication between the platform and the external authenticator -- typically a USB, NFC, or Bluetooth security key. When a user registers with a service, the secure element generates a unique key pair; the private key stays on the chip while the public key is sent to the server. Authentication requires physical possession of the key plus a user gesture (button press, PIN, or biometric).

Smart Card Implementation

Hardware FIDO2 keys like YubiKey use smart card chips with crypto coprocessors to perform ECC operations (typically P-256 or Ed25519). The key stores credentials in the chip's EEPROM or flash memory, supporting up to 25 resident keys for discoverable credentials. NFC-enabled keys communicate over ISO 14443 using the NFCCTAP protocol, wrapping CTAP2 commands inside APDU frames. For enterprise deployments, FIDO2 keys can be combined with PIV applets on a single device, providing both passwordless web authentication and traditional certificate-based VPN access.

Security and Compliance

FIDO2 authenticators are evaluated against the FIDO Alliance's certification program, which defines three security levels. Level 1 covers software-only implementations. Level 2 requires restricted operating environments. Level 3+ requires hardware secure elements with Common Criteria or FIPS 140 certification. The phishing resistance of FIDO2 -- achieved through origin binding (the authenticator signs a hash of the relying party's domain) -- has led the US government to mandate FIDO2-compatible keys for federal employee access under updated FIPS 201 guidelines.