FIDO2 and Smart Cards

FIDO2 and Smart Cards

FIDO2FIDO2StandardPasswordless authentication standard.Click to view → is the umbrella term for the W3C WebAuthn specification and the CTAP2 protocol (Client to Authenticator Protocol). While most consumer deployments use platform authenticators (device biometrics) or USB security keys, smart card–based FIDO2 authenticators provide a hardware-rooted, phishing-resistant credential store backed by the same tamper-resistant chip used in banking and government ID programmes.

Architecture Overview

Browser / Relying Party
        |  WebAuthn API (navigator.credentials)
        v
   Platform Authenticator Transport Layer
        |  CTAP2 (USB HID / NFC / BLE)
        v
   Smart Card Authenticator
        |  ISO 7816 APDU
        v
   Secure Element (FIDO2 applet)
        — Key pair generation (P-256 / Ed25519)
        — Assertion signing
        — PIN / UV verification

The smart card acts as a FIDO2 roaming authenticator — a hardware token external to the platform. The private key is generated on-chip and never exported, fulfilling FIDO Alliance's "key is bound to hardware" requirement.

CTAP2 Credential Lifecycle

FIDO2 credentials on smart cards are typically resident keys (also called discoverable credentials): the credential ID and user handle are stored in the card's EEPROM, allowing passwordless login without the relying party needing to pass a credential ID hint.

Attestation Formats

When registering a new credential, the authenticator returns an attestation statement that proves the credential was created by a genuine device:

Smart card FIDO2 applets typically use packed attestation with a batch attestation certificate rooted in the manufacturer's PKI, certified at Common Criteria EAL5+.

User Verification Methods

FIDO2 mandates a User Verification (UV) step for Level 2 and above:

• PIN (most common on smart cards): A numeric or alphanumeric PIN is verified on-card; three consecutive failures trigger a lockout requiring a PUK.
• On-card fingerprint: Higher-end smart card tokens include a fingerprint sensor; the match runs entirely inside the secure element.

The PIN is never transmitted to the relying party — the card derives a PIN token internally and uses it to sign the client assertion.

APDU Layer for CTAP2 over Smart Card

CTAP2 commands are encoded as CBOR maps and transported as APDU data payloads:

Command APDU (CTAP2 over CCID):
  CLA=00  INS=10  P1=00  P2=00
  Lc = len(CBOR payload)
  Data = CBOR-encoded CTAP2 command map
  Le = 00

Response APDU:
  Data = CBOR-encoded response map
  SW1 SW2 = 90 00 (success) or 6F XX (error)

The CTAP2 command byte precedes the CBOR map in the APDUAPDUProtocolCommunication unit between card and reader.Click to view → data field: 01 = authenticatorMakeCredential, 02 = authenticatorGetAssertion.

Enterprise Deployment Considerations

For PKI integration alongside FIDO2, see PKI on Smart Cards. For the underlying secure elementsecure elementSecurityTamper-resistant hardware for secure operations.Click to view → security model, see TEE vs Secure Element.