FIDO2 Project

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
FIDO2 USB security keys: fingerprint biometric and push-button
FIDO2 USB security keys: fingerprint biometric and push-button

The FIDO2 Project is a joint effort between the FIDO Alliance and the World Wide Web Consortium (W3C) whose goal is to create a strong authentication solution for the web. At its core, FIDO2 consists of the W3C Web Authentication (WebAuthn) standard and the FIDO Client to Authenticator Protocol (CTAP).[1] FIDO2 is based upon previous work done by the FIDO Alliance, in particular the Universal 2nd Factor (U2F) authentication standard.

Taken together, WebAuthn and CTAP specify a standard authentication protocol[2] where the protocol endpoints consist of a user-controlled cryptographic authenticator (such as a smartphone or a hardware security key) and a WebAuthn Relying Party (also called a FIDO2 server). A web user agent (i.e., a web browser) together with a WebAuthn client form an intermediary between the authenticator and the relying party. A single WebAuthn client Device may support multiple WebAuthn clients. For example, a laptop may support multiple clients, one for each conforming user agent running on the laptop. A conforming user agent implements the WebAuthn JavaScript API.

As its name implies, the Client to Authenticator Protocol (CTAP) enables a conforming cryptographic authenticator to interoperate with a WebAuthn client. The CTAP specification refers to two protocol versions called CTAP1/U2F and CTAP2.[3] An authenticator that implements one of these protocols is typically referred to as an U2F authenticator or a FIDO2 authenticator, respectively. A FIDO2 authenticator that also implements the CTAP1/U2F protocol is backward compatible with U2F.


  1. ^ "FIDO2: Moving the World Beyond Passwords". FIDO Alliance. Retrieved 30 January 2019.
  2. ^ Balfanz, Dirk; Czeskis, Alexei; Hodges, Jeff; Jones, J.C.; Jones, Michael B.; Kumar, Akshay; Liao, Angelo; Lindemann, Rolf; Lundberg, Emil (eds.). "Web Authentication: An API for accessing Public Key Credentials Level 1". World Wide Web Consortium (W3C). Retrieved 30 January 2019.
  3. ^ Brand, Christiaan; Czeskis, Alexei; Ehrensvärd, Jakob; Jones, Michael B.; Kumar, Akshay; Lindemann, Rolf; Powers, Adam; Verrept, Johan, eds. (February 27, 2018). "Client to Authenticator Protocol (CTAP)". FIDO Alliance. Retrieved 30 January 2019.