FIDO2 and W3C WebAuthn Standard

International (W3C / FIDO Alliance)

vWebAuthn Level 3 (2025)

5 domains

22 controls

FIDO2 (Fast IDentity Online) comprises the W3C Web Authentication (WebAuthn) specification and the FIDO Alliance Client-to-Authenticator Protocol (CTAP). WebAuthn Level 3 (2025) enables passwordless authentication using public key cryptography. Authenticators include platform authenticators (biometrics), roaming authenticators (security keys), and passkeys (synced credentials). Supported by all major browsers and operating systems. Over 15 billion accounts enabled for passkey sign-in.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (5)

Attestation and Trust

4 controls

Controls in the Attestation and Trust domain of FIDO2 and W3C WebAuthn Standard — 4 controls
Code	Title	Description
ATT-1	Attestation Formats	Servers must support at least one attestation format such as packed, TPM, Android Key, or FIDO U2F.
ATT-2	Attestation Types	The specification supports basic, self, attestation CA, and anonymization CA attestation types.
ATT-3	Metadata Service Integration	Relying parties may use the FIDO Metadata Service to verify authenticator trust and security properties.
ATT-4	Enterprise Attestation	Enterprise attestation enables organisations to obtain uniquely identifying attestation for managed authenticators.

Authentication Ceremony

4 controls

Controls in the Authentication Ceremony domain of FIDO2 and W3C WebAuthn Standard — 4 controls
Code	Title	Description
WebAuthn-6.1	Authentication Challenge	Relying parties must generate a unique challenge for each authentication request to prevent replay attacks.
WebAuthn-6.2	Assertion Verification	Relying parties must verify the authenticator assertion including signature, origin, and challenge binding.
WebAuthn-6.3	User Verification	Authenticators must verify user identity through biometrics, PIN, or other local verification methods.
WebAuthn-6.4	Counter Verification	Relying parties should verify the signature counter to detect potentially cloned authenticators.

Authenticator Requirements (CTAP2)

5 controls

Controls in the Authenticator Requirements (CTAP2) domain of FIDO2 and W3C WebAuthn Standard — 5 controls
Code	Title	Description
CTAP2-1	Authenticator API Commands	Authenticators must implement CTAP2 commands for credential management including makeCredential and getAssertion.
CTAP2-2	Transport Protocols	Authenticators must support at least one transport protocol such as USB HID, NFC, or Bluetooth Low Energy.
CTAP2-3	PIN/UV Protocol	Authenticators must support client PIN or built-in user verification protocols for user identity confirmation.
CTAP2-4	Credential Management	Authenticators must manage resident credentials including creation, enumeration, and deletion capabilities.
CTAP2-5	Authenticator Configuration	Authenticators must support configuration operations including PIN change and reset functionality.

Registration Ceremony

4 controls

Controls in the Registration Ceremony domain of FIDO2 and W3C WebAuthn Standard — 4 controls
Code	Title	Description
WebAuthn-5.1	Credential Creation	Relying parties must initiate credential creation by generating a challenge and specifying public key credential paramet...
WebAuthn-5.2	Authenticator Selection	Relying parties may specify authenticator requirements including attachment type, resident key, and user verification.
WebAuthn-5.3	Attestation Statement Verification	Relying parties must verify the attestation statement returned by the authenticator during registration.
WebAuthn-5.4	Credential Storage	Relying parties must securely store the public key credential and associated data returned during registration.

Security and Privacy Requirements

5 controls

Controls in the Security and Privacy Requirements domain of FIDO2 and W3C WebAuthn Standard — 5 controls
Code	Title	Description
SEC-1	Data Integrity Proofs	Credentials may be secured using Data Integrity proofs embedded directly in the credential document as a proof property.
SEC-2	Enveloping Proofs	Credentials may be secured using external enveloping proof formats such as JWT, JWS, or SD-JWT signatures.
SEC-3	Non-Repudiation	Securing mechanisms must provide non-repudiation ensuring the issuer cannot deny having issued the credential.
SEC-4	Privacy Considerations	Authenticators must not enable tracking across relying parties and should support credential isolation.
SEC-5	Channel Binding	Assertions are bound to the TLS channel to prevent man-in-the-middle attacks during authentication.

Maps to 295 other frameworks

22 total controls

FDA 21 CFR Part 11

3 source controls mapped|3 target controls covered

14%

CNCF Cloud Native Security (Cloud Native Computing Foundation)

3 source controls mapped|3 target controls covered

14%

HL7 FHIR Security Framework

3 source controls mapped|4 target controls covered

14%

3GPP Security Architecture (TS 33.501 — 5G Security)

3 source controls mapped|5 target controls covered

14%

NIST SP 800-92

3 source controls mapped|4 target controls covered

14%

NIST SP 800-124 Rev 2 — Mobile Device Security

3 source controls mapped|3 target controls covered

14%

CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0

3 source controls mapped|5 target controls covered

14%

NIST SP 800-115

3 source controls mapped|4 target controls covered

14%

ISO/SAE 21434

3 source controls mapped|4 target controls covered

14%

NIST SP 800-171A Rev 3 — Assessing CUI Security Requirements

3 source controls mapped|5 target controls covered

14%

FedRAMP Rev 5

3 source controls mapped|7 target controls covered

14%

PropTech Security Standards — Smart Building Cybersecurity

3 source controls mapped|2 target controls covered

14%

NIST SP 800-123

3 source controls mapped|4 target controls covered

14%

AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)

3 source controls mapped|3 target controls covered

14%

NIST SP 800-53 Rev 5

3 source controls mapped|5 target controls covered

14%

OpenSSF Scorecard

3 source controls mapped|4 target controls covered

14%

ASD Strategies to Mitigate Cyber Security Incidents

3 source controls mapped|3 target controls covered

14%

MITRE ATT&CK

3 source controls mapped|4 target controls covered

14%

CISA ICS-CERT Advisories and Industrial Control Systems Security Guidelines

3 source controls mapped|3 target controls covered

14%

NIS2 Directive Implementing Acts

3 source controls mapped|5 target controls covered

14%

FBI CJIS Security Policy

3 source controls mapped|5 target controls covered

14%

CCSDS 350.0-G-3 — Space Communications Security (Consultative Committee for Space Data Systems)

3 source controls mapped|6 target controls covered

14%

California IoT Security Law

3 source controls mapped|4 target controls covered

14%

NIST SP 800-53A

3 source controls mapped|2 target controls covered

14%

US Gramm-Leach-Bliley Act (GLBA) — Higher Education Safeguards Rule

3 source controls mapped|5 target controls covered

14%

NYDFS Cybersecurity Regulation (23 NYCRR Part 500)

3 source controls mapped|5 target controls covered

14%

HIPAA Security Rule

3 source controls mapped|5 target controls covered

14%

O-RAN Alliance Security Specifications (O-RAN.WG11)

3 source controls mapped|2 target controls covered

14%

PTES

3 source controls mapped|4 target controls covered

14%

OWASP ASVS

3 source controls mapped|4 target controls covered

14%

ISO 27017

3 source controls mapped|2 target controls covered

14%

NIST SP 800-128

3 source controls mapped|4 target controls covered

14%

Regional Comprehensive Economic Partnership (RCEP) — E-Commerce Chapter

3 source controls mapped|1 target controls covered

14%

DFARS 252.204-7012 — Safeguarding Covered Defense Information

3 source controls mapped|3 target controls covered

14%

Connecticut Data Privacy Act (CTDPA)

3 source controls mapped|5 target controls covered

14%

Illinois Biometric Information Privacy Act (BIPA)

3 source controls mapped|3 target controls covered

14%

NAIC Insurance Data Security Model Law (MDL-668)

3 source controls mapped|5 target controls covered

14%

Modern Slavery Act 2018 (Australia)

3 source controls mapped|3 target controls covered

14%

GLI-33 — Gaming Laboratories International Event Wagering Systems

3 source controls mapped|3 target controls covered

14%

3GPP 5G Security Architecture (TS 33.501)

3 source controls mapped|4 target controls covered

14%

NIST SP 800-181

3 source controls mapped|4 target controls covered

14%

ISO 27018

3 source controls mapped|2 target controls covered

14%

NIST SP 800-61

3 source controls mapped|4 target controls covered

14%

Russia Federal Law on Personal Data (152-FZ)

3 source controls mapped|1 target controls covered

14%

ASD Information Security Manual (ISM)

3 source controls mapped|8 target controls covered

14%

TEFCA — Trusted Exchange Framework and Common Agreement

3 source controls mapped|2 target controls covered

14%

NIST SP 800-187

3 source controls mapped|4 target controls covered

14%

EMV 3-D Secure (3DS2) — Payment Authentication Protocol

3 source controls mapped|4 target controls covered

14%

DAMA-DMBOK2 — Data Management Body of Knowledge (2nd Edition)

3 source controls mapped|1 target controls covered

14%

ISO 13485

3 source controls mapped|3 target controls covered

14%

NIST SP 800-171A — Assessing CUI Security Requirements

3 source controls mapped|5 target controls covered

14%

ISO 27002:2022

3 source controls mapped|4 target controls covered

14%

OWASP Top 10:2025

3 source controls mapped|3 target controls covered

14%

FTC Safeguards Rule (16 CFR Part 314)

3 source controls mapped|2 target controls covered

14%

DoD Zero Trust Reference Architecture

3 source controls mapped|2 target controls covered

14%

MITRE D3FEND

3 source controls mapped|4 target controls covered

14%

NIST SP 800-160

3 source controls mapped|4 target controls covered

14%

UK Gambling Commission — Cyber Resilience Requirements

3 source controls mapped|2 target controls covered

14%

CMMC 2.0

3 source controls mapped|2 target controls covered

14%

ISMAP (Japan)

3 source controls mapped|2 target controls covered

14%

NIST SP 800-218

3 source controls mapped|4 target controls covered

14%

OWASP API Security Top 10:2023

3 source controls mapped|2 target controls covered

14%

PCI DSS v4.0

3 source controls mapped|6 target controls covered

14%

CSA CCM v4

3 source controls mapped|6 target controls covered

14%

NIST SP 800-63

3 source controls mapped|4 target controls covered

14%

CISA Secure by Design Principles

3 source controls mapped|4 target controls covered

14%

Azure Security Benchmark

3 source controls mapped|2 target controls covered

14%

NIST SP 800-207

3 source controls mapped|4 target controls covered

14%

ASD Essential Eight Maturity Model

3 source controls mapped|3 target controls covered

14%

NIST SP 800-172

3 source controls mapped|2 target controls covered

14%

MDS2 (Medical Device)

3 source controls mapped|3 target controls covered

14%

Belgium CyberFundamentals

3 source controls mapped|2 target controls covered

14%

NIST SP 800-88

3 source controls mapped|4 target controls covered

14%

USMCA Chapter 19 — Digital Trade (United States-Mexico-Canada Agreement)

3 source controls mapped|1 target controls covered

14%

NIST Privacy Framework Version 1.0

3 source controls mapped|1 target controls covered

14%

South Korea ISMS-P

3 source controls mapped|2 target controls covered

14%

CISA Zero Trust Maturity Model

3 source controls mapped|2 target controls covered

14%

PAS 1192-5:2015 — Security-Minded Approach to BIM and Digital Built Environments

3 source controls mapped|4 target controls covered

14%

Canada ITSG-33 — IT Security Risk Management

3 source controls mapped|4 target controls covered

14%

New Zealand Information Security Manual (NZISM)

3 source controls mapped|4 target controls covered

14%

MARS-E — Minimum Acceptable Risk Standards for Exchanges

3 source controls mapped|4 target controls covered

14%

South Korea Cloud Security Assurance Program (CSAP)

3 source controls mapped|4 target controls covered

14%

NRC 10 CFR 73.54 — Nuclear Facility Cybersecurity

3 source controls mapped|4 target controls covered

14%

Bank Secrecy Act / Anti-Money Laundering (BSA/AML)

3 source controls mapped|1 target controls covered

14%

UK Open Banking Standard

3 source controls mapped|4 target controls covered

14%

US Consumer Product Safety Commission (CPSC) — Connected Product Safety

3 source controls mapped|1 target controls covered

14%

MARS-E

3 source controls mapped|3 target controls covered

14%

AML/CTF Act 2006 (Australia)

3 source controls mapped|1 target controls covered

14%

NIST SP 800-150

3 source controls mapped|4 target controls covered

14%

NIST SP 800-161

3 source controls mapped|4 target controls covered

14%

Colorado Privacy Act (CPA)

3 source controls mapped|4 target controls covered

14%

Vermont Artificial Intelligence and Consumer Data Act (AICDA)

3 source controls mapped|2 target controls covered

14%

Digital Economy Partnership Agreement (DEPA)

3 source controls mapped|2 target controls covered

14%

FISMA

3 source controls mapped|2 target controls covered

14%

OWASP SAMM

3 source controls mapped|4 target controls covered

14%

NIST SP 800-137

3 source controls mapped|4 target controls covered

14%

EBA Guidelines on ICT and Security Risk Management (EBA/GL/2019/04)

3 source controls mapped|1 target controls covered

14%

Cyber Essentials Plus

3 source controls mapped|2 target controls covered

14%

ISO/IEC 27400:2022

3 source controls mapped|2 target controls covered

14%

ANSSI Cybersecurity Framework

3 source controls mapped|2 target controls covered

14%

AWS Well-Architected Security Pillar

3 source controls mapped|2 target controls covered

14%

ISO/IEC 29115:2023 — Entity Authentication Assurance Framework

3 source controls mapped|4 target controls covered

14%

EU Cyber Resilience Act

3 source controls mapped|4 target controls covered

14%

ISO 27043

3 source controls mapped|4 target controls covered

14%

BSIMM

3 source controls mapped|4 target controls covered

14%

ASIC Cyber Resilience Good Practices

3 source controls mapped|1 target controls covered

14%

OWASP MASVS

3 source controls mapped|4 target controls covered

14%

Armenia Law on Protection of Personal Data (2015)

3 source controls mapped|2 target controls covered

14%

NIST Cybersecurity Framework 2.0

3 source controls mapped|2 target controls covered

14%

ISO 27799

3 source controls mapped|3 target controls covered

14%

Spain ENS

3 source controls mapped|2 target controls covered

14%

BSI IT-Grundschutz

3 source controls mapped|2 target controls covered

14%

IRS Publication 1075 — Tax Information Security Guidelines

3 source controls mapped|2 target controls covered

14%

EU Maritime Single Window Environment Regulation (EU 2019/1239) and EMSA Cybersecurity

3 source controls mapped|1 target controls covered

14%

NIST SP 800-82 Rev 3 — Guide to OT Security

3 source controls mapped|2 target controls covered

14%

NIST SP 800-66

3 source controls mapped|3 target controls covered

14%

CSA STAR (Security, Trust, Assurance, and Risk)

3 source controls mapped|2 target controls covered

14%

RFC 2350 — Expectations for Computer Security Incident Response (BCP 21)

3 source controls mapped|2 target controls covered

14%

FIDO2 / WebAuthn — Passwordless Authentication Standard

3 source controls mapped|3 target controls covered

14%

CWE Top 25 Most Dangerous Software Weaknesses (2024)

3 source controls mapped|3 target controls covered

14%

Lebanon Electronic Transactions and Personal Data Protection Law (Law No. 81/2018)

3 source controls mapped|2 target controls covered

14%

Wisconsin Data Privacy Act (SB 670)

3 source controls mapped|3 target controls covered

14%

Tennessee Information Protection Act (TIPA)

3 source controls mapped|2 target controls covered

14%

UK Telecommunications (Security) Act 2021

3 source controls mapped|3 target controls covered

14%

NIST SP 800-183

3 source controls mapped|4 target controls covered

14%

C5 (Germany)

3 source controls mapped|2 target controls covered

14%

NIST SP 800-190

3 source controls mapped|2 target controls covered

14%

CAIQ (CSA)

3 source controls mapped|2 target controls covered

14%

ETSI EN 303 645

3 source controls mapped|4 target controls covered

14%

W3C Verifiable Credentials (VC) Data Model 2.0

3 source controls mapped|3 target controls covered

14%

Ghana Cybersecurity Act

3 source controls mapped|2 target controls covered

14%

Chile Personal Data Protection Law (Law No. 21.719)

3 source controls mapped|2 target controls covered

14%

Saudi NCA ECC

3 source controls mapped|2 target controls covered

14%

ISO 27001:2022

3 source controls mapped|3 target controls covered

14%

eIDAS 2.0 — EU Digital Identity Regulation

3 source controls mapped|1 target controls covered

14%

NIST SP 800-144

3 source controls mapped|2 target controls covered

14%

NIST Privacy Framework 1.0

3 source controls mapped|3 target controls covered

14%

US Maritime Transportation Security Act (MTSA) and USCG Cybersecurity Requirements

3 source controls mapped|1 target controls covered

14%

FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011)

3 source controls mapped|3 target controls covered

14%

EU PSD3 and Payment Services Regulation (Proposed)

3 source controls mapped|3 target controls covered

14%

OWASP DevSecOps Maturity Model (DSOMM)

3 source controls mapped|1 target controls covered

14%

3GPP Security

3 source controls mapped|4 target controls covered

14%

NIST SP 800-171

3 source controls mapped|2 target controls covered

14%

NIST SP 800-146

3 source controls mapped|2 target controls covered

14%

ISO/IEC 23837 — Security Requirements for Quantum Key Distribution

3 source controls mapped|4 target controls covered

14%

OWASP Top 10 for LLM Applications 2025

3 source controls mapped|2 target controls covered

14%

TISAX — Trusted Information Security Assessment Exchange

3 source controls mapped|4 target controls covered

14%

MTCS (Singapore)

3 source controls mapped|2 target controls covered

14%

FAA Cybersecurity Framework for Aviation

3 source controls mapped|2 target controls covered

14%

Oman National Cybersecurity Framework

3 source controls mapped|2 target controls covered

14%

EN 301 549 — ICT Accessibility Requirements

3 source controls mapped|1 target controls covered

14%

TSA Pipeline Cybersecurity Directives

3 source controls mapped|1 target controls covered

14%

IACS Unified Requirements E26/E27 — Cyber Resilience of Ships and On-Board Systems

3 source controls mapped|1 target controls covered

14%

US EPA Safe Drinking Water Act (SDWA) — Cybersecurity Requirements

3 source controls mapped|1 target controls covered

14%

Australian Energy Sector Cyber Security Framework (AESCSF)

3 source controls mapped|1 target controls covered

14%

NIST SP 800-145

3 source controls mapped|2 target controls covered

14%

WCO Authorised Economic Operator (AEO) Framework

3 source controls mapped|1 target controls covered

14%

NRF Cybersecurity and Data Privacy Framework (National Retail Federation)

3 source controls mapped|1 target controls covered

14%

WCO SAFE Framework of Standards to Secure and Facilitate Global Trade (2021)

3 source controls mapped|1 target controls covered

14%

Customs-Trade Partnership Against Terrorism (C-TPAT)

3 source controls mapped|1 target controls covered

14%

EU Critical Raw Materials Act (Regulation (EU) 2024/1252)

3 source controls mapped|1 target controls covered

14%

EU Chips Act (Regulation (EU) 2023/1781)

3 source controls mapped|1 target controls covered

14%

EU European Health Data Space (EHDS)

3 source controls mapped|1 target controls covered

14%

SSDF (NIST)

3 source controls mapped|4 target controls covered

14%

TSA Pipeline Security

3 source controls mapped|1 target controls covered

14%

SLSA

3 source controls mapped|4 target controls covered

14%

ITU-T X.805 — Security Architecture for End-to-End Communications

3 source controls mapped|1 target controls covered

14%

UNECE WP.29 R156

3 source controls mapped|4 target controls covered

14%

SIG (Shared Assessments)

3 source controls mapped|4 target controls covered

14%

Florida Digital Bill of Rights (SB 262)

3 source controls mapped|2 target controls covered

14%

SSAE 18 — Attestation Standards (SOC Reporting)

3 source controls mapped|1 target controls covered

14%

FTC GLBA Safeguards Rule (16 CFR Part 314)

3 source controls mapped|2 target controls covered

14%

SWIFT Customer Security Programme (CSP)

3 source controls mapped|3 target controls covered

14%

Zimbabwe Data Protection Act (2021)

3 source controls mapped|1 target controls covered

14%

UK PSTI Act

3 source controls mapped|4 target controls covered

14%

DISA Security Technical Implementation Guides (STIGs)

3 source controls mapped|5 target controls covered

14%

UNECE WP.29 R155

3 source controls mapped|4 target controls covered

14%

WCAG 2.2

3 source controls mapped|2 target controls covered

14%

US Executive Order 14028 — Improving the Nation's Cybersecurity

3 source controls mapped|1 target controls covered

14%

ESRB Privacy Certified Programme

1 source controls mapped|2 target controls covered

Hungary Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act)

1 source controls mapped|2 target controls covered

Kenya DPA

1 source controls mapped|1 target controls covered

India DPDP Act

1 source controls mapped|1 target controls covered

FFIEC IT Examination Handbook

1 source controls mapped|1 target controls covered

ISO/IEC 27010:2015

1 source controls mapped|1 target controls covered

Dominican Republic DPL

1 source controls mapped|1 target controls covered

Ecuador LOPDP

1 source controls mapped|1 target controls covered

Bahrain PDPL

1 source controls mapped|1 target controls covered

Indonesia PDP Law

1 source controls mapped|1 target controls covered

CCPA/CPRA

1 source controls mapped|1 target controls covered

NSA Quantum-Resistant (QR) Cryptography Migration Guidance

1 source controls mapped|3 target controls covered

EAR — Export Administration Regulations

1 source controls mapped|2 target controls covered

PCI PIN Security

1 source controls mapped|1 target controls covered

Open Banking Security

1 source controls mapped|1 target controls covered

PDPA Singapore

1 source controls mapped|1 target controls covered

Oregon Consumer Privacy Act

1 source controls mapped|1 target controls covered

Peru DPL

1 source controls mapped|1 target controls covered

Turkey KVKK

1 source controls mapped|1 target controls covered

Mexico LFPDPPP

1 source controls mapped|1 target controls covered

PCI P2PE

1 source controls mapped|1 target controls covered

Indiana Consumer Data Protection Act

1 source controls mapped|1 target controls covered

Delaware Personal Data Privacy Act

1 source controls mapped|1 target controls covered

NIST SP 800-34 Rev 1 — Contingency Planning Guide

1 source controls mapped|1 target controls covered

Singapore Government Instruction Manual on ICT&SS Management (IM8)

1 source controls mapped|1 target controls covered

ENISA Privacy Enhancing Technologies (PETs) Guidance

1 source controls mapped|2 target controls covered

Nebraska Data Privacy Act

1 source controls mapped|1 target controls covered

NIST Post-Quantum Cryptography Standards (FIPS 203, 204, 205)

1 source controls mapped|3 target controls covered

PDPA Thailand

1 source controls mapped|1 target controls covered

APRA CPS 234

1 source controls mapped|1 target controls covered

Nigeria NDPR

1 source controls mapped|1 target controls covered

Privacy Act 1988 (Australia)

1 source controls mapped|1 target controls covered

MAS TRM

1 source controls mapped|1 target controls covered

New Zealand Privacy Act

1 source controls mapped|1 target controls covered

ISO 27701

1 source controls mapped|1 target controls covered

Rwanda DPL

1 source controls mapped|1 target controls covered

BCBS 239

1 source controls mapped|1 target controls covered

Connecticut DPA

1 source controls mapped|1 target controls covered

NIST AI Risk Management Framework (AI RMF 1.0)

1 source controls mapped|1 target controls covered

NIST AI 600-1 Generative AI Profile

1 source controls mapped|1 target controls covered

APPI

1 source controls mapped|1 target controls covered

Argentina PDPA

1 source controls mapped|1 target controls covered

Montana Consumer Data Privacy Act

1 source controls mapped|1 target controls covered

NSA CNSA Suite 2.0 — Commercial National Security Algorithm Suite

1 source controls mapped|3 target controls covered

Qatar DPL

1 source controls mapped|1 target controls covered

Colombia Habeas Data Law

1 source controls mapped|1 target controls covered

New Jersey Data Privacy Act

1 source controls mapped|1 target controls covered

HITECH Act

1 source controls mapped|1 target controls covered

Norway PDPA

1 source controls mapped|1 target controls covered

DORA

1 source controls mapped|1 target controls covered

Chile DPL

1 source controls mapped|1 target controls covered

Nigeria Open Banking Regulatory Framework (CBN, 2023)

1 source controls mapped|1 target controls covered

Philippines DPA

1 source controls mapped|1 target controls covered

New Hampshire Privacy Act

1 source controls mapped|1 target controls covered

Mauritius DPA

1 source controls mapped|1 target controls covered

UK Defence Standard 05-138 — Cyber Security for Defence Suppliers

1 source controls mapped|1 target controls covered

Jamaica DPA

1 source controls mapped|1 target controls covered

FERPA

1 source controls mapped|1 target controls covered

Malaysia PDPA 2010

1 source controls mapped|1 target controls covered

Colorado Privacy Act

1 source controls mapped|1 target controls covered

IEC 62351 — Power Systems Communication Security

1 source controls mapped|1 target controls covered

Kentucky Consumer Data Protection Act

1 source controls mapped|1 target controls covered

Maryland Online Data Privacy Act

1 source controls mapped|1 target controls covered

EU Digital Markets Act

1 source controls mapped|1 target controls covered

PCI SSF

1 source controls mapped|1 target controls covered

ILO Nursing Personnel Convention C149 (1977)

1 source controls mapped|1 target controls covered

EU Anti-Money Laundering Directive (AMLD6 / Directive 2018/1673)

1 source controls mapped|1 target controls covered

ISO 8000 — Data Quality

1 source controls mapped|1 target controls covered

FATF Recommendation 16 — Virtual Asset Travel Rule

1 source controls mapped|1 target controls covered

Privacy by Design (PbD) — Seven Foundational Principles

1 source controls mapped|1 target controls covered

BS 65000:2014 — Guidance on Organizational Resilience

1 source controls mapped|1 target controls covered

Iowa Consumer Data Protection Act

1 source controls mapped|1 target controls covered

HKMA SPM

1 source controls mapped|1 target controls covered

ISO/IEC 27011:2024

1 source controls mapped|1 target controls covered

China PIPL

1 source controls mapped|1 target controls covered

POPIA

1 source controls mapped|1 target controls covered

Switzerland FADP

1 source controls mapped|1 target controls covered

LGPD

1 source controls mapped|1 target controls covered

OSFI B-13

1 source controls mapped|1 target controls covered

Iceland DPA

1 source controls mapped|1 target controls covered

CFTC System Safeguards (17 CFR 37, 38, 39, 49)

1 source controls mapped|2 target controls covered

EIOPA Guidelines on ICT Security and Governance (2020)

1 source controls mapped|2 target controls covered

Telecommunications Sector Security Reforms (TSSR)

1 source controls mapped|2 target controls covered

Defence Security Principles Framework (DSPF)

1 source controls mapped|2 target controls covered

Protective Security Policy Framework (PSPF) Release 2024

1 source controls mapped|2 target controls covered

EDM Council CDMC — Cloud Data Management Capabilities Framework

1 source controls mapped|1 target controls covered

Liechtenstein DPA

1 source controls mapped|1 target controls covered

HKMA Cyber Resilience Assessment Framework (C-RAF)

1 source controls mapped|1 target controls covered

GLBA

1 source controls mapped|1 target controls covered

AS9100D:2016 — Quality Management Systems for Aviation, Space, and Defence

1 source controls mapped|1 target controls covered

ISO/IEC 27557:2022 — Organisational Privacy Risk Management

1 source controls mapped|1 target controls covered

Minnesota Consumer Data Privacy Act

1 source controls mapped|1 target controls covered

RBI Cybersecurity Framework for Banks

1 source controls mapped|1 target controls covered

PSD2 SCA

1 source controls mapped|1 target controls covered

NIST SP 800-122

1 source controls mapped|1 target controls covered

Saudi Arabia PDPL

1 source controls mapped|1 target controls covered

Vietnam PDPD

1 source controls mapped|1 target controls covered

ISO 22739:2024 — Blockchain and Distributed Ledger Technologies Vocabulary

1 source controls mapped|1 target controls covered

PIPEDA

1 source controls mapped|1 target controls covered

COPPA

1 source controls mapped|1 target controls covered

ECB TIBER-EU

1 source controls mapped|1 target controls covered

Tennessee IPA

1 source controls mapped|1 target controls covered

SOC for Cybersecurity — Cybersecurity Risk Management Examination

1 source controls mapped|1 target controls covered

NATO STANAG 4774/4778 — Confidentiality Metadata Labels

1 source controls mapped|2 target controls covered

UK Data Protection Act 2018

1 source controls mapped|1 target controls covered

US ITAR and EAR — Export Control and Data Security

1 source controls mapped|2 target controls covered

UAE PDPL

1 source controls mapped|1 target controls covered

AICPA SOC 3

1 source controls mapped|1 target controls covered

SWIFT CSP

1 source controls mapped|1 target controls covered

AICPA SOC 1

1 source controls mapped|1 target controls covered

Utah Consumer Privacy Act

1 source controls mapped|1 target controls covered

Taiwan PDPA

1 source controls mapped|1 target controls covered

Texas Data Privacy Act

1 source controls mapped|1 target controls covered

Uruguay DPL

1 source controls mapped|1 target controls covered

Virginia CDPA

1 source controls mapped|1 target controls covered

SWIFT CSCF

1 source controls mapped|1 target controls covered

Compare FIDO2 and W3C WebAuthn Standard with FDA 21 CFR Part 11

Frequently Asked Questions

What is FIDO2 and W3C WebAuthn Standard?

FIDO2 and W3C WebAuthn Standard is a compliance framework from International (W3C / FIDO Alliance) with 5 domains and 22 controls. FIDO2 (Fast IDentity Online) comprises the W3C Web Authentication (WebAuthn) specification and the FIDO Alliance Client-to-Authenticator Protocol (CTAP). WebAuthn Level 3 (2025) enables passwordless authentication using public key cryptography. Authenticators include platform authenticators (biometrics), roaming authenticators (security keys), and passkeys (synced credentials). Supported by all major browsers and operating systems. Over 15 billion accounts enabled for passkey sign-in. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does FIDO2 and W3C WebAuthn Standard have?

FIDO2 and W3C WebAuthn Standard has 22 controls organised across 5 domains. The largest domains are Authenticator Requirements (CTAP2) (5 controls), Security and Privacy Requirements (5 controls), Attestation and Trust (4 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does FIDO2 and W3C WebAuthn Standard map to?

FIDO2 and W3C WebAuthn Standard maps to 295 other compliance frameworks. The top mapping partners are FDA 21 CFR Part 11 (14% coverage), CNCF Cloud Native Security (Cloud Native Computing Foundation) (14% coverage), HL7 FHIR Security Framework (14% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with FIDO2 and W3C WebAuthn Standard compliance?

Start your FIDO2 and W3C WebAuthn Standard compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about FIDO2 and W3C WebAuthn Standard requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 22 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 692 frameworks.

Get Started Free →

Free forever — no credit card required