What is FIDO2?

May 24, 2018 4 minute read

Last month, open authentication standards reached an important milestone; Microsoft launched support for FIDO2 and CTAP, and the World Wide Web Consortium (W3C) won approval for WebAuthn. Since then, Yubico has received questions on how these efforts are related, what role FIDO U2F and Yubico have in the mix, and what organizations can implement now — and in the future — to enable simple, strong authentication for employees and end-users. This blog will bring some clarity to those questions.

What is the difference between FIDO U2F and FIDO2?

U2F was developed by Yubico and Google, and contributed to the FIDO Alliance after it was successfully deployed for Google employees. The protocol is designed to act as a second factor to strengthen existing username/password-based login flows. It’s built on Yubico’s invention of a scalable public-key model in which a new key pair is generated for each service and an unlimited number of services can be supported, all while maintaining full separation between them to preserve privacy.

Essentially, FIDO2 is the passwordless evolution of FIDO U2F. The overall objective for FIDO2 is to provide an extended set of functionality to cover additional use-cases, with the main driver being passwordless login flows. The U2F model is still the basis for FIDO2 and compatibility for existing U2F deployments is provided in the FIDO2 specs.

What is WebAuthn & CTAP?

A new, extensible web authentication API, called Webauthn, has been developed within W3C, which supports both existing FIDO U2F and upcoming FIDO2 credentials.

The FIDO U2F client-side protocol has been renamed CTAP1, and a new, extensible client-to-authenticator protocol (CTAP2) has been developed to allow for external authenticators (tokens, phones, smart cards etc.) to interface with FIDO2-enabled browsers and Operating Systems

WebAuthn and CTAP2 are both required to deliver the FIDO2 passwordless login experience, but WebAuthn still supports FIDO U2F authenticators, since CTAP1 is also part of the WebAuthn specification.

How can organizations deploy FIDO2?

So, what can organizations do if they are aiming to provide support for FIDO2? We recommend making support for WebAuthn as it works with existing FIDO U2F authenticators and also FIDO 2 authenticators.

Mozilla Firefox 60 recently added support for WebAuthn, Chrome 67 will be shipping with WebAuthn support in the near future, and Microsoft has already announced they will support WebAuthn in Edge browsers. The U2F web API continues to work for U2F authenticators, but is limited to the Chrome and Opera browsers.

To evaluate WebAuthn with FIDO U2F and FIDO2 authenticators today, Yubico offers a test service at demo.yubico.com/webauthn, and soon we will provide more complete open source FIDO2 servers on GitHub. Organizations can sign up for updates from the Yubico Developer Program to get information on FIDO2 and WebAuthn resources.

So, what’s our role in all of this?

From Yubico’s perspective, we’re proud and pleased to see our vision of one single security key to any number of services become a reality. We’ve watched this vision progress from our launch of the first YubiKey in 2008, to early U2F development in 2011, to the launch of FIDO2 in 2018.

With WebAuthn providing a seamless evolution from U2F to FIDO2, and with upcoming support for built-in authenticators and additional use-cases, WebAuthn becomes the center of a ubiquitous ecosystem for authentication.

Our mission has always been to drive standards and adoption by providing technical specifications, open source components, and developer tools; and to be the gold standard for authenticators. With the open standards ecosystem growing, we see the vision of providing strong authentication for everyone coming true.

Interested in exploring FIDO2 and passwordless login? Get started today with the Security Key by Yubico.

Share this article:

Recommended content

Thumbnail

Top five pitfalls companies should avoid when rolling out a passwordless strategy

Given the number of breaches in the news today where passwords were at the root of the problem, many companies are now exploring the benefits of a secure passwordless future. Secure passwordless logins not only bring cost efficiencies and a more frictionless user login experience into the organization, but deliver the security that is necessary ...

Thumbnail

Built-in FIDO authenticators and YubiKeys are making the internet safer for all

In 2007, Yubico set out to protect as many people as possible by making secure login easy and available for everyone. We are happy Apple has joined Yubico, Google, and Microsoft on this journey by implementing W3C WebAuthn/FIDO compatible platform authenticators and are pleased to say that now all major platforms have adopted the standards ...

Thumbnail

How will authentication standards evolve in 2021 and beyond?

Authentication standards development is like a slow-moving, winding river. It often takes years of dedicated work to reach new milestones, yet it feeds the entire security ecosystem and sustains digital workflow safety throughout the enterprise. While the benefits of this river are often invisible to the end-user, CISOs and developers are thinking about the river’s ...

Thumbnail

SIM Swap Protecting Against Account Takeover with WebAuthn

Billions of dollars are being stolen annually due to account takeover fraud.