FIDO2 / Passkeys
Open authentication standards using device-bound asymmetric cryptography to deliver phishing-resistant sign-in — the practical answer to MFA fatigue and adversary-in-the-middle phishing.
FIDO2 is the open authentication standard maintained jointly by the FIDO Alliance and the W3C, composed of two specifications: WebAuthn (the browser/platform API) and CTAP (the protocol between the browser and an external authenticator). Passkeys are the consumer-friendly name for FIDO2 credentials that sync across a user’s devices via their platform vendor (Apple, Google, Microsoft) or a password manager (1Password, Dashlane, Bitwarden).
The cryptographic core is simple: at enrolment, the authenticator generates a unique public/private key pair bound to the relying-party origin (the website’s domain). The private key never leaves the device. At sign-in, the server sends a challenge; the device signs it locally — after a biometric or PIN gesture — and returns the signature. Because the credential is bound to the exact origin, a fake login page on a look-alike domain cannot trigger the right key. This is what “phishing-resistant” means in NIST 800-63B terms.
What FIDO2 / passkeys solve that other MFA factors don’t:
- MFA fatigue immunity. No push prompts to spam-approve; the user must explicitly touch the device.
- AiTM phishing immunity. Evilginx, Tycoon, and similar proxying kits cannot replay a FIDO2 assertion because the signature is bound to the attacker’s domain, not the real one.
- No shared secret. Unlike TOTP, the server stores only a public key; a database breach leaks nothing usable.
- Roaming vs platform. Roaming authenticators (YubiKey, Titan) plug in via USB/NFC; platform authenticators (Touch ID, Windows Hello, Android biometric) live inside the device. Passkeys add cross-device sync on top.
The deployment friction is real — recovery flows, shared workstations, legacy apps that only speak SAML without WebAuthn — but every major IdP (Okta, Entra ID, Google Workspace, Ping) now supports passkeys natively, and the 2024-2026 trajectory is unambiguous: CISA, ANSSI, and the UK NCSC all recommend phishing-resistant MFA for privileged accounts as a baseline, not a stretch goal. Start with admins and finance; expand from there.
Related terms
- Multi-factor authentication (MFA)An authentication scheme that requires two or more independent factors — something you know, have, or are — to verify a user, raising the cost of credential theft.
- Single Sign-On (SSO)An authentication architecture where one identity provider issues tokens that grant access to many downstream applications, reducing credential surface but concentrating blast radius.
- MFA fatigueA social-engineering attack that bombards a user with MFA push prompts until they tap Approve out of annoyance or confusion.
- PhishingA social-engineering attack that impersonates a trusted entity to trick a person into surrendering credentials, money, or access — by email, SMS, voice, QR code, or OAuth consent.
- OAuth phishing / consent phishingAn attack that tricks a user into granting a malicious third-party app persistent OAuth access to their mailbox, files, or workspace — bypassing MFA entirely.