FIDO2 and W3C WebAuthn Standard

International (W3C / FIDO Alliance)

vWebAuthn Level 3 (2025)

23 domains

43 controls

FIDO2 (Fast IDentity Online) comprises the W3C Web Authentication (WebAuthn) specification and the FIDO Alliance Client-to-Authenticator Protocol (CTAP). WebAuthn Level 3 (2025) enables passwordless authentication using public key cryptography. Authenticators include platform authenticators (biometrics), roaming authenticators (security keys), and passkeys (synced credentials). Supported by all major browsers and operating systems. Over 15 billion accounts enabled for passkey sign-in.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (23)

Accessibility

1 controls

Controls in the Accessibility domain of FIDO2 and W3C WebAuthn Standard — 1 controls
Code	Title	Description
FIDO2-V2-16	Accessibility of Passkey Flows	Ensure flows are accessible to users with disabilities, including alternative authenticators.

Assurance

1 controls

Controls in the Assurance domain of FIDO2 and W3C WebAuthn Standard — 1 controls
Code	Title	Description
FIDO2-V2-18	Threat Model Documentation	Maintain a threat model that addresses phishing, AiTM, malware, and social engineering.

Attestation

1 controls

Controls in the Attestation domain of FIDO2 and W3C WebAuthn Standard — 1 controls
Code	Title	Description
FIDO2-V2-5	Attestation Format Support	Support packed, fido-u2f, tpm, android-key, android-safetynet, apple, and none formats per policy.

Attestation and Trust

4 controls

Controls in the Attestation and Trust domain of FIDO2 and W3C WebAuthn Standard — 4 controls
Code	Title	Description
ATT-1	Attestation Formats	Servers must support at least one attestation format such as packed, TPM, Android Key, or FIDO U2F.
ATT-2	Attestation Types	The specification supports basic, self, attestation CA, and anonymization CA attestation types.
ATT-3	Metadata Service Integration	Relying parties may use the FIDO Metadata Service to verify authenticator trust and security properties.
ATT-4	Enterprise Attestation	Enterprise attestation enables organisations to obtain uniquely identifying attestation for managed authenticators.

Audit

1 controls

Controls in the Audit domain of FIDO2 and W3C WebAuthn Standard — 1 controls
Code	Title	Description
FIDO2-V2-20	Audit and Forensic Readiness	Retain audit logs sufficient for forensic reconstruction of registration and authentication events.

Authentication Ceremony

4 controls

Controls in the Authentication Ceremony domain of FIDO2 and W3C WebAuthn Standard — 4 controls
Code	Title	Description
WebAuthn-6.1	Authentication Challenge	Relying parties must generate a unique challenge for each authentication request to prevent replay attacks.
WebAuthn-6.2	Assertion Verification	Relying parties must verify the authenticator assertion including signature, origin, and challenge binding.
WebAuthn-6.3	User Verification	Authenticators must verify user identity through biometrics, PIN, or other local verification methods.
WebAuthn-6.4	Counter Verification	Relying parties should verify the signature counter to detect potentially cloned authenticators.

Authenticator

1 controls

Controls in the Authenticator domain of FIDO2 and W3C WebAuthn Standard — 1 controls
Code	Title	Description
FIDO2-V2-7	Discoverable Credentials Storage Limits	Account for storage slot limits and graceful failure on full authenticators.

Authenticator Compatibility

1 controls

Controls in the Authenticator Compatibility domain of FIDO2 and W3C WebAuthn Standard — 1 controls
Code	Title	Description
FIDO2-V2-2	CTAP Version Support Strategy	Document CTAP2.0, 2.1, 2.2 support and capability detection for clients.

Authenticator Requirements (CTAP2)

5 controls

Controls in the Authenticator Requirements (CTAP2) domain of FIDO2 and W3C WebAuthn Standard — 5 controls
Code	Title	Description
CTAP2-1	Authenticator API Commands	Authenticators must implement CTAP2 commands for credential management including makeCredential and getAssertion.
CTAP2-2	Transport Protocols	Authenticators must support at least one transport protocol such as USB HID, NFC, or Bluetooth Low Energy.
CTAP2-3	PIN/UV Protocol	Authenticators must support client PIN or built-in user verification protocols for user identity confirmation.
CTAP2-4	Credential Management	Authenticators must manage resident credentials including creation, enumeration, and deletion capabilities.
CTAP2-5	Authenticator Configuration	Authenticators must support configuration operations including PIN change and reset functionality.

Cryptography

1 controls

Controls in the Cryptography domain of FIDO2 and W3C WebAuthn Standard — 1 controls
Code	Title	Description
FIDO2-V2-12	Server-Side Random Number Generation	Use CSPRNG for challenge generation; document entropy source.

Lifecycle

1 controls

Controls in the Lifecycle domain of FIDO2 and W3C WebAuthn Standard — 1 controls
Code	Title	Description
FIDO2-V2-17	Decommissioning Lost or Stolen Authenticators	Procedure to revoke compromised authenticators and notify users.

Mobile Implementation

1 controls

Controls in the Mobile Implementation domain of FIDO2 and W3C WebAuthn Standard — 1 controls
Code	Title	Description
FIDO2-V2-11	Origin Validation in Mobile Webviews	Use App Links, Universal Links, and assetlinks.json to bind credentials to native apps and web origins.

Operations

2 controls

Controls in the Operations domain of FIDO2 and W3C WebAuthn Standard — 2 controls
Code	Title	Description
FIDO2-V2-14	Rate Limiting and Account Lockout	Apply rate limits for registration and authentication ceremonies to deter abuse.
FIDO2-V2-19	Performance and Latency Targets	Define and measure latency targets for ceremonies across regions.

Passkey Policy

1 controls

Controls in the Passkey Policy domain of FIDO2 and W3C WebAuthn Standard — 1 controls
Code	Title	Description
FIDO2-V2-10	Backup Eligibility and Backup State Flags	Interpret BE and BS flags to differentiate synced from device-bound passkeys for risk-based decisions.

Privacy

1 controls

Controls in the Privacy domain of FIDO2 and W3C WebAuthn Standard — 1 controls
Code	Title	Description
FIDO2-V2-21	Cross-Border Data and Privacy Considerations	Address cross-border data implications of authenticator usage and biometric template handling.

Protocol Extensions

1 controls

Controls in the Protocol Extensions domain of FIDO2 and W3C WebAuthn Standard — 1 controls
Code	Title	Description
FIDO2-V2-9	Extensions Use and Validation	Use and validate WebAuthn extensions (credProps, largeBlob, hmac-secret) appropriately.

Registration Ceremony

4 controls

Controls in the Registration Ceremony domain of FIDO2 and W3C WebAuthn Standard — 4 controls
Code	Title	Description
WebAuthn-5.1	Credential Creation	Relying parties must initiate credential creation by generating a challenge and specifying public key credential paramet...
WebAuthn-5.2	Authenticator Selection	Relying parties may specify authenticator requirements including attachment type, resident key, and user verification.
WebAuthn-5.3	Attestation Statement Verification	Relying parties must verify the attestation statement returned by the authenticator during registration.
WebAuthn-5.4	Credential Storage	Relying parties must securely store the public key credential and associated data returned during registration.

Security and Privacy Requirements

5 controls

Controls in the Security and Privacy Requirements domain of FIDO2 and W3C WebAuthn Standard — 5 controls
Code	Title	Description
SEC-1	Aviation Security Programme	The operator implements an aviation security programme approved by the appropriate authority covering people, property a...
SEC-2	Security Threat and Risk Assessment	The operator conducts security threat and risk assessments and implements proportionate countermeasures including for sp...
SEC-3	Security Training and Awareness	All personnel with security responsibilities receive role specific training including unruly passenger management and sc...
SEC-4	Privacy Considerations	Authenticators must not enable tracking across relying parties and should support credential isolation.
SEC-5	Channel Binding	Assertions are bound to the TLS channel to prevent man-in-the-middle attacks during authentication.

Server Implementation

3 controls

Controls in the Server Implementation domain of FIDO2 and W3C WebAuthn Standard — 3 controls
Code	Title	Description
FIDO2-V2-13	Anti-Replay and Timestamping	Enforce one-time challenge use with TTL and reject reused challenges.
FIDO2-V2-3	Registration Ceremony Validation	Validate clientDataJSON, attestationObject, RP ID hash, flags, and signature during registration.
FIDO2-V2-4	Authentication Ceremony Validation	Validate authenticatorData, signature, counter, RP ID hash, and user verification on authentication.

Session

1 controls

Controls in the Session domain of FIDO2 and W3C WebAuthn Standard — 1 controls
Code	Title	Description
FIDO2-V2-15	Session Binding and Token Issuance	Bind authenticated sessions to WebAuthn assertion outputs and reauthenticate for sensitive actions.

Standards Conformance

1 controls

Controls in the Standards Conformance domain of FIDO2 and W3C WebAuthn Standard — 1 controls
Code	Title	Description
FIDO2-V2-1	WebAuthn Level Conformance Target	Declare target WebAuthn level (L2 or L3) and document which features are in scope.

Trust

1 controls

Controls in the Trust domain of FIDO2 and W3C WebAuthn Standard — 1 controls
Code	Title	Description
FIDO2-V2-6	Trust Anchor Management	Maintain trust anchors for attestation root CAs, refreshed from FIDO MDS3 regularly.

User Verification

1 controls

Controls in the User Verification domain of FIDO2 and W3C WebAuthn Standard — 1 controls
Code	Title	Description
FIDO2-V2-8	PIN and Biometric Policies	Configure PIN minimum length, retry limits, and biometric template handling on authenticators.

Your Compliance Coverage

If you comply with FIDO2 and W3C WebAuthn Standard, you already cover:

FDA 21 CFR Part 11

3 controls mapped

Compare →

CNCF Cloud Native Security (Cloud Native Computing Foundation)

3 controls mapped

Compare →

HL7 FHIR Security Framework

3 controls mapped

Compare →

+ 308 more: 3GPP Security Architecture (TS 33.501 — 5G Security) (7%), NIST SP 800-92 (7%)

See all 311 mapped frameworks ↓

Maps to 311 other frameworks

43 total controls

FDA 21 CFR Part 11

3 source controls mapped|3 target controls covered

CNCF Cloud Native Security (Cloud Native Computing Foundation)

3 source controls mapped|3 target controls covered

HL7 FHIR Security Framework

3 source controls mapped|4 target controls covered

3GPP Security Architecture (TS 33.501 — 5G Security)

3 source controls mapped|5 target controls covered

NIST SP 800-92

3 source controls mapped|4 target controls covered

NIST SP 800-124 Rev 2 — Mobile Device Security

3 source controls mapped|3 target controls covered

CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0

3 source controls mapped|5 target controls covered

NIST SP 800-115

3 source controls mapped|4 target controls covered

ISO/SAE 21434

3 source controls mapped|4 target controls covered

NIST SP 800-171A Rev 3 — Assessing CUI Security Requirements

3 source controls mapped|5 target controls covered

FedRAMP Rev 5

3 source controls mapped|7 target controls covered

PropTech Security Standards — Smart Building Cybersecurity

3 source controls mapped|2 target controls covered

NIST SP 800-123

3 source controls mapped|4 target controls covered

AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)

3 source controls mapped|3 target controls covered

NIST SP 800-53 Rev 5

3 source controls mapped|5 target controls covered

OpenSSF Scorecard

3 source controls mapped|4 target controls covered

ASD Strategies to Mitigate Cyber Security Incidents

3 source controls mapped|3 target controls covered

MITRE ATT&CK

3 source controls mapped|4 target controls covered

CISA ICS-CERT Advisories and Industrial Control Systems Security Guidelines

3 source controls mapped|3 target controls covered

NIS2 Directive Implementing Acts

3 source controls mapped|5 target controls covered

FBI CJIS Security Policy

3 source controls mapped|5 target controls covered

CCSDS 350.0-G-3 — Space Communications Security (Consultative Committee for Space Data Systems)

3 source controls mapped|6 target controls covered

California IoT Security Law

3 source controls mapped|4 target controls covered

NIST SP 800-53A

3 source controls mapped|2 target controls covered

US Gramm-Leach-Bliley Act (GLBA) — Higher Education Safeguards Rule

3 source controls mapped|5 target controls covered

NYDFS Cybersecurity Regulation (23 NYCRR Part 500)

3 source controls mapped|5 target controls covered

HIPAA Security Rule

3 source controls mapped|5 target controls covered

O-RAN Alliance Security Specifications (O-RAN.WG11)

3 source controls mapped|2 target controls covered

PTES

3 source controls mapped|4 target controls covered

OWASP ASVS

3 source controls mapped|4 target controls covered

ISO 27017

3 source controls mapped|2 target controls covered

NIST SP 800-128

3 source controls mapped|4 target controls covered

Regional Comprehensive Economic Partnership (RCEP) — E-Commerce Chapter

3 source controls mapped|1 target controls covered

DFARS 252.204-7012 — Safeguarding Covered Defense Information

3 source controls mapped|3 target controls covered

Connecticut Data Privacy Act (CTDPA)

3 source controls mapped|5 target controls covered

Illinois Biometric Information Privacy Act (BIPA)

3 source controls mapped|3 target controls covered

NAIC Insurance Data Security Model Law (MDL-668)

3 source controls mapped|5 target controls covered

Modern Slavery Act 2018 (Australia)

3 source controls mapped|3 target controls covered

GLI-33 — Gaming Laboratories International Event Wagering Systems

3 source controls mapped|3 target controls covered

3GPP 5G Security Architecture (TS 33.501)

3 source controls mapped|4 target controls covered

ISO 19011

3 source controls mapped|3 target controls covered

ISO 15189:2022 — Medical Laboratories Requirements for Quality and Competence

3 source controls mapped|3 target controls covered

CIS Controls v8

3 source controls mapped|5 target controls covered

NIST SP 800-181

3 source controls mapped|4 target controls covered

ISO 27018

3 source controls mapped|2 target controls covered

NIST SP 800-61

3 source controls mapped|4 target controls covered

Russia Federal Law on Personal Data (152-FZ)

3 source controls mapped|1 target controls covered

ASD Information Security Manual (ISM)

3 source controls mapped|8 target controls covered

TEFCA — Trusted Exchange Framework and Common Agreement

3 source controls mapped|2 target controls covered

NIST SP 800-187

3 source controls mapped|4 target controls covered

EMV 3-D Secure (3DS2) — Payment Authentication Protocol

3 source controls mapped|4 target controls covered

DAMA-DMBOK2 — Data Management Body of Knowledge (2nd Edition)

3 source controls mapped|1 target controls covered

ISO 13485

3 source controls mapped|4 target controls covered

NIST SP 800-171A — Assessing CUI Security Requirements

3 source controls mapped|5 target controls covered

ISO 27002:2022

3 source controls mapped|4 target controls covered

OWASP Top 10:2025

3 source controls mapped|3 target controls covered

FTC Safeguards Rule (16 CFR Part 314)

3 source controls mapped|2 target controls covered

DoD Zero Trust Reference Architecture

3 source controls mapped|2 target controls covered

MITRE D3FEND

3 source controls mapped|4 target controls covered

NIST SP 800-160

3 source controls mapped|4 target controls covered

UK Gambling Commission — Cyber Resilience Requirements

3 source controls mapped|2 target controls covered

ISMAP (Japan)

3 source controls mapped|2 target controls covered

NIST SP 800-218

3 source controls mapped|4 target controls covered

OWASP API Security Top 10:2023

3 source controls mapped|2 target controls covered

PCI DSS v4.0

3 source controls mapped|6 target controls covered

CSA CCM v4

3 source controls mapped|6 target controls covered

NIST SP 800-63

3 source controls mapped|4 target controls covered

CISA Secure by Design Principles

3 source controls mapped|4 target controls covered

Azure Security Benchmark

3 source controls mapped|2 target controls covered

NIST SP 800-207

3 source controls mapped|4 target controls covered

ASD Essential Eight Maturity Model

3 source controls mapped|3 target controls covered

NIST SP 800-172

3 source controls mapped|2 target controls covered

MDS2 (Medical Device)

3 source controls mapped|3 target controls covered

Belgium CyberFundamentals

3 source controls mapped|2 target controls covered

NIST SP 800-88

3 source controls mapped|4 target controls covered

USMCA Chapter 19 — Digital Trade (United States-Mexico-Canada Agreement)

3 source controls mapped|1 target controls covered

NIST Privacy Framework Version 1.0

3 source controls mapped|1 target controls covered

South Korea ISMS-P

3 source controls mapped|2 target controls covered

CISA Zero Trust Maturity Model

3 source controls mapped|2 target controls covered

PAS 1192-5:2015 — Security-Minded Approach to BIM and Digital Built Environments

3 source controls mapped|4 target controls covered

Canada ITSG-33 — IT Security Risk Management

3 source controls mapped|4 target controls covered

New Zealand Information Security Manual (NZISM)

3 source controls mapped|4 target controls covered

MARS-E — Minimum Acceptable Risk Standards for Exchanges

3 source controls mapped|4 target controls covered

South Korea Cloud Security Assurance Program (CSAP)

3 source controls mapped|4 target controls covered

NRC 10 CFR 73.54 — Nuclear Facility Cybersecurity

3 source controls mapped|4 target controls covered

Bank Secrecy Act / Anti-Money Laundering (BSA/AML)

3 source controls mapped|1 target controls covered

UK Open Banking Standard

3 source controls mapped|4 target controls covered

US Consumer Product Safety Commission (CPSC) — Connected Product Safety

3 source controls mapped|1 target controls covered

MARS-E

3 source controls mapped|3 target controls covered

AML/CTF Act 2006 (Australia)

3 source controls mapped|1 target controls covered

NIST SP 800-150

3 source controls mapped|4 target controls covered

NIST SP 800-161

3 source controls mapped|4 target controls covered

Colorado Privacy Act (CPA)

3 source controls mapped|4 target controls covered

Vermont Artificial Intelligence and Consumer Data Act (AICDA)

3 source controls mapped|2 target controls covered

Digital Economy Partnership Agreement (DEPA)

3 source controls mapped|2 target controls covered

FISMA

3 source controls mapped|2 target controls covered

OWASP SAMM

3 source controls mapped|4 target controls covered

NIST SP 800-137

3 source controls mapped|4 target controls covered

EBA Guidelines on ICT and Security Risk Management (EBA/GL/2024/07)

3 source controls mapped|1 target controls covered

Cyber Essentials Plus

3 source controls mapped|2 target controls covered

ISO/IEC 27400:2022

3 source controls mapped|2 target controls covered

ANSSI Cybersecurity Framework

3 source controls mapped|2 target controls covered

AWS Well-Architected Security Pillar

3 source controls mapped|2 target controls covered

ISO/IEC 29115:2023 — Entity Authentication Assurance Framework

3 source controls mapped|4 target controls covered

Proposal for a Regulation on Cyber Resilience Act (CRA)

3 source controls mapped|4 target controls covered

ISO 27043

3 source controls mapped|4 target controls covered

BSIMM

3 source controls mapped|4 target controls covered

ASIC Cyber Resilience Good Practices

3 source controls mapped|1 target controls covered

OWASP MASVS

3 source controls mapped|4 target controls covered

Armenia Law on Protection of Personal Data (2015)

3 source controls mapped|2 target controls covered

NIST Cybersecurity Framework 2.0

3 source controls mapped|2 target controls covered

ISO 27799

3 source controls mapped|3 target controls covered

Spain ENS

3 source controls mapped|2 target controls covered

BSI IT-Grundschutz

3 source controls mapped|2 target controls covered

IRS Publication 1075 — Tax Information Security Guidelines

3 source controls mapped|2 target controls covered

EU Maritime Single Window Environment Regulation (EU) 2019/1239

3 source controls mapped|1 target controls covered

NIST SP 800-82 Rev 3 — Guide to OT Security

3 source controls mapped|2 target controls covered

NIST SP 800-66

3 source controls mapped|3 target controls covered

CSA STAR (Security, Trust, Assurance, and Risk)

3 source controls mapped|2 target controls covered

EU Cyber Solidarity Act (Regulation (EU) 2025/38)

3 source controls mapped|1 target controls covered

RFC 2350 — Expectations for Computer Security Incident Response (BCP 21)

3 source controls mapped|2 target controls covered

FIDO2 / WebAuthn — Passwordless Authentication Standard

3 source controls mapped|3 target controls covered

CWE Top 25 Most Dangerous Software Weaknesses (2024)

3 source controls mapped|3 target controls covered

Lebanon Electronic Transactions and Personal Data Protection Law (Law No. 81/2018)

3 source controls mapped|2 target controls covered

Wisconsin Data Privacy Act (SB 670)

3 source controls mapped|3 target controls covered

Tennessee Information Protection Act (TIPA)

3 source controls mapped|2 target controls covered

UK Telecommunications (Security) Act 2021

3 source controls mapped|3 target controls covered

NIST SP 800-183

3 source controls mapped|4 target controls covered

C5 (Germany)

3 source controls mapped|2 target controls covered

NIST SP 800-190

3 source controls mapped|2 target controls covered

CAIQ (CSA)

3 source controls mapped|2 target controls covered

ETSI EN 303 645

3 source controls mapped|4 target controls covered

IATA Operational Safety Audit (IOSA) Standards Manual

3 source controls mapped|2 target controls covered

W3C Verifiable Credentials (VC) Data Model 2.0

3 source controls mapped|3 target controls covered

Ghana Cybersecurity Act

3 source controls mapped|2 target controls covered

Chile Personal Data Protection Law (Law No. 21.719)

3 source controls mapped|2 target controls covered

Saudi NCA ECC

3 source controls mapped|2 target controls covered

ISO 27001:2022

3 source controls mapped|3 target controls covered

eIDAS 2.0 — EU Digital Identity Regulation

3 source controls mapped|1 target controls covered

NIST SP 800-144

3 source controls mapped|2 target controls covered

NIST Privacy Framework 1.0

3 source controls mapped|3 target controls covered

US Maritime Transportation Security Act (MTSA) and USCG Cybersecurity Requirements

3 source controls mapped|1 target controls covered

FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011)

3 source controls mapped|3 target controls covered

EU Payment Services Directive (PSD2) – Under Review

3 source controls mapped|3 target controls covered

OWASP DevSecOps Maturity Model (DSOMM)

3 source controls mapped|1 target controls covered

3GPP Security

3 source controls mapped|5 target controls covered

NIST SP 800-171

3 source controls mapped|2 target controls covered

NIST SP 800-146

3 source controls mapped|2 target controls covered

ISO/IEC 23837 — Security Requirements for Quantum Key Distribution

3 source controls mapped|4 target controls covered

OWASP Top 10 for LLM Applications 2025

3 source controls mapped|2 target controls covered

TISAX — Trusted Information Security Assessment Exchange

3 source controls mapped|4 target controls covered

SWIFT CSCF

3 source controls mapped|2 target controls covered

SWIFT CSCF v2024

3 source controls mapped|1 target controls covered

MTCS (Singapore)

3 source controls mapped|2 target controls covered

FAA Cybersecurity Framework for Aviation

3 source controls mapped|2 target controls covered

Oman National Cybersecurity Framework

3 source controls mapped|2 target controls covered

EN 301 549 — ICT Accessibility Requirements

3 source controls mapped|1 target controls covered

TSA Pipeline Cybersecurity Directives

3 source controls mapped|1 target controls covered

IACS Unified Requirements E26/E27 — Cyber Resilience of Ships and On-Board Systems

3 source controls mapped|1 target controls covered

US EPA Safe Drinking Water Act (SDWA) — Cybersecurity Requirements

3 source controls mapped|1 target controls covered

Australian Energy Sector Cyber Security Framework (AESCSF)

3 source controls mapped|1 target controls covered

NIST SP 800-145

3 source controls mapped|2 target controls covered

WCO Authorised Economic Operator (AEO) Framework

3 source controls mapped|1 target controls covered

NRF Cybersecurity and Data Privacy Framework (National Retail Federation)

3 source controls mapped|1 target controls covered

WCO SAFE Framework of Standards to Secure and Facilitate Global Trade (2021)

3 source controls mapped|1 target controls covered

Customs-Trade Partnership Against Terrorism (C-TPAT)

3 source controls mapped|1 target controls covered

Critical Raw Materials Act (Proposed Regulation COM(2023) 192)

3 source controls mapped|1 target controls covered

EU Chips Act (Regulation (EU) 2023/1781) — potential incorrect regulation number

3 source controls mapped|1 target controls covered

PCI DSS 4.0

3 source controls mapped|1 target controls covered

Proposal for a Regulation on the European Health Data Space (EHDS)

3 source controls mapped|1 target controls covered

SSDF (NIST)

3 source controls mapped|4 target controls covered

TSA Pipeline Security

3 source controls mapped|1 target controls covered

SLSA

3 source controls mapped|4 target controls covered

ITU-T X.805 — Security Architecture for End-to-End Communications

3 source controls mapped|1 target controls covered

UNECE WP.29 R156

3 source controls mapped|4 target controls covered

SIG (Shared Assessments)

3 source controls mapped|4 target controls covered

Sigstore — Software Artifact Signing and Verification

3 source controls mapped|2 target controls covered

Florida Digital Bill of Rights (SB 262)

3 source controls mapped|2 target controls covered

SSAE 18 — Attestation Standards (SOC Reporting)

3 source controls mapped|1 target controls covered

FTC GLBA Safeguards Rule (16 CFR Part 314)

3 source controls mapped|2 target controls covered

SWIFT Customer Security Programme (CSP)

3 source controls mapped|3 target controls covered

Zimbabwe Data Protection Act (2021)

3 source controls mapped|1 target controls covered

UK PSTI Act

3 source controls mapped|4 target controls covered

DISA Security Technical Implementation Guides (STIGs)

3 source controls mapped|5 target controls covered

UNECE WP.29 R155

3 source controls mapped|4 target controls covered

WCAG 2.2

3 source controls mapped|2 target controls covered

US Executive Order 14028 — Improving the Nation's Cybersecurity

3 source controls mapped|1 target controls covered

ESRB Privacy Certified

1 source controls mapped|2 target controls covered

Hungary Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act)

1 source controls mapped|2 target controls covered

Kenya DPA

1 source controls mapped|1 target controls covered

Kenya Data Protection Act

1 source controls mapped|1 target controls covered

India DPDP Act

1 source controls mapped|1 target controls covered

FFIEC IT Examination Handbook

1 source controls mapped|1 target controls covered

ISO/IEC 27010:2015

1 source controls mapped|1 target controls covered

Law No. 172-13 on the Protection of Personal Data

1 source controls mapped|1 target controls covered

Ley Orgánica de Protección de Datos Personales (LOPDP)

1 source controls mapped|1 target controls covered

Bahrain PDPL

1 source controls mapped|1 target controls covered

Indonesia PDP Law

1 source controls mapped|1 target controls covered

CCPA/CPRA

1 source controls mapped|1 target controls covered

NSA Quantum-Resistant (QR) Cryptography Migration Guidance

1 source controls mapped|3 target controls covered

EAR — Export Administration Regulations

1 source controls mapped|2 target controls covered

PCI PIN Security

1 source controls mapped|1 target controls covered

Open Banking Security

1 source controls mapped|1 target controls covered

PDPA Singapore

1 source controls mapped|1 target controls covered

Oregon Consumer Privacy Act

1 source controls mapped|1 target controls covered

Peru DPL

1 source controls mapped|1 target controls covered

Turkey KVKK

1 source controls mapped|1 target controls covered

Turkey Personal Data Protection Law (KVKK — Law No. 6698)

1 source controls mapped|1 target controls covered

Mexico LFPDPPP

1 source controls mapped|1 target controls covered

PCI P2PE

1 source controls mapped|1 target controls covered

Indiana Consumer Data Protection Act

1 source controls mapped|1 target controls covered

Delaware Online Privacy and Protection Act (proposed)

1 source controls mapped|1 target controls covered

NIST SP 800-34 Rev 1 — Contingency Planning Guide

1 source controls mapped|1 target controls covered

Singapore Government Instruction Manual on ICT&SS Management (IM8)

1 source controls mapped|1 target controls covered

ENISA Privacy-Enhancing Technologies Reports and Recommendations

1 source controls mapped|2 target controls covered

Nebraska Data Privacy Act

1 source controls mapped|1 target controls covered

NIST Post-Quantum Cryptography Standards (FIPS 203, 204, 205)

1 source controls mapped|3 target controls covered

PDPA Thailand

1 source controls mapped|1 target controls covered

APRA CPS 234

1 source controls mapped|1 target controls covered

Australian Information Security Manual

1 source controls mapped|2 target controls covered

Nigeria NDPR

1 source controls mapped|1 target controls covered

Privacy Act 1988 (Australia)

1 source controls mapped|1 target controls covered

MAS TRM

1 source controls mapped|1 target controls covered

New Zealand Privacy Act

1 source controls mapped|1 target controls covered

ISO 27701

1 source controls mapped|1 target controls covered

Rwanda DPL

1 source controls mapped|1 target controls covered

BCBS 239

1 source controls mapped|1 target controls covered

CTDPA (Connecticut Data Privacy Act)

1 source controls mapped|1 target controls covered

NIST AI Risk Management Framework (AI RMF 1.0)

1 source controls mapped|1 target controls covered

NIST AI 600-1 Generative AI Profile

1 source controls mapped|1 target controls covered

APPI

1 source controls mapped|1 target controls covered

Argentina PDPA

1 source controls mapped|1 target controls covered

Montana Consumer Data Privacy Act

1 source controls mapped|1 target controls covered

NSA CNSA Suite 2.0 — Commercial National Security Algorithm Suite

1 source controls mapped|3 target controls covered

Qatar DPL

1 source controls mapped|1 target controls covered

Law 1581 of 2012 - Statutory Framework for the Protection of Personal Data

1 source controls mapped|1 target controls covered

New Jersey Data Privacy Act

1 source controls mapped|1 target controls covered

HITECH Act

1 source controls mapped|1 target controls covered

Norway PDPA

1 source controls mapped|1 target controls covered

ISO 31000:2018

1 source controls mapped|1 target controls covered

DORA

1 source controls mapped|1 target controls covered

Chile DPL

1 source controls mapped|1 target controls covered

Nigeria Open Banking Regulatory Framework (CBN, 2023)

1 source controls mapped|1 target controls covered

Philippines DPA

1 source controls mapped|1 target controls covered

Philippines Data Privacy Act (RA 10173)

1 source controls mapped|1 target controls covered

New Hampshire Privacy Act

1 source controls mapped|1 target controls covered

Mauritius DPA

1 source controls mapped|1 target controls covered

UK Defence Standard 05-138 — Cyber Security for Defence Suppliers

1 source controls mapped|1 target controls covered

Jamaica DPA

1 source controls mapped|1 target controls covered

FERPA

1 source controls mapped|1 target controls covered

Malaysia PDPA 2010

1 source controls mapped|1 target controls covered

Colorado Privacy Act

1 source controls mapped|1 target controls covered

IEC 62351 — Power Systems Communication Security

1 source controls mapped|1 target controls covered

Kentucky Consumer Data Protection Act

1 source controls mapped|1 target controls covered

Maryland Online Data Privacy Act

1 source controls mapped|1 target controls covered

EU Digital Markets Act

1 source controls mapped|1 target controls covered

PCI SSF

1 source controls mapped|1 target controls covered

ILO Nursing Personnel Convention C149 (1977)

1 source controls mapped|1 target controls covered

6th Anti-Money Laundering Directive (AMLD6, Directive (EU) 2018/1673)

1 source controls mapped|1 target controls covered

ISO 8000 — Data Quality

1 source controls mapped|1 target controls covered

FATF Recommendation 16 — Virtual Asset Travel Rule

1 source controls mapped|1 target controls covered

Privacy by Design (PbD) — Seven Foundational Principles

1 source controls mapped|1 target controls covered

BS 65000:2014 — Guidance on Organizational Resilience

1 source controls mapped|1 target controls covered

Iowa Consumer Data Protection Act

1 source controls mapped|1 target controls covered

HKMA SPM

1 source controls mapped|1 target controls covered

ISO/IEC 27011:2024

1 source controls mapped|1 target controls covered

China PIPL

1 source controls mapped|1 target controls covered

POPIA

1 source controls mapped|1 target controls covered

Switzerland FADP

1 source controls mapped|1 target controls covered

LGPD

1 source controls mapped|1 target controls covered

OSFI B-13

1 source controls mapped|1 target controls covered

Iceland DPA

1 source controls mapped|1 target controls covered

CFTC System Safeguards (17 CFR 37, 38, 39, 49)

1 source controls mapped|2 target controls covered

EIOPA Guidelines on ICT Security and Governance (2023)

1 source controls mapped|2 target controls covered

Telecommunications Sector Security Reforms (TSSR)

1 source controls mapped|2 target controls covered

Defence Security Principles Framework (DSPF)

1 source controls mapped|2 target controls covered

Protective Security Policy Framework (PSPF) Release 2024

1 source controls mapped|2 target controls covered

EDM Council CDMC — Cloud Data Management Capability Framework

1 source controls mapped|1 target controls covered

Liechtenstein DPA

1 source controls mapped|1 target controls covered

HKMA Cyber Resilience Assessment Framework (C-RAF)

1 source controls mapped|1 target controls covered

GLBA

1 source controls mapped|1 target controls covered

AS9100D:2016 — Quality Management Systems for Aviation, Space, and Defence

1 source controls mapped|1 target controls covered

ISO 27005

1 source controls mapped|1 target controls covered

ISO 20000-1

1 source controls mapped|1 target controls covered

ISO/IEC 42001:2023

1 source controls mapped|1 target controls covered

ISO/IEC 27557:2022 — Organisational Privacy Risk Management

1 source controls mapped|1 target controls covered

Minnesota Consumer Data Privacy Act

1 source controls mapped|1 target controls covered

RBI Cybersecurity Framework for Banks

1 source controls mapped|1 target controls covered

PSD2 SCA

1 source controls mapped|1 target controls covered

NIST SP 800-122

1 source controls mapped|1 target controls covered

Saudi Arabia PDPL

1 source controls mapped|1 target controls covered

Vietnam PDPD

1 source controls mapped|1 target controls covered

ISO 22739:2024 — Blockchain and Distributed Ledger Technologies Vocabulary

1 source controls mapped|1 target controls covered

PIPEDA

1 source controls mapped|1 target controls covered

COPPA

1 source controls mapped|1 target controls covered

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming - European Union)

1 source controls mapped|1 target controls covered

Tennessee IPA

1 source controls mapped|1 target controls covered

SOC for Cybersecurity — Cybersecurity Risk Management Examination

1 source controls mapped|1 target controls covered

NATO STANAG 4774/4778 — Confidentiality Metadata Labels

1 source controls mapped|2 target controls covered

UK Data Protection Act 2018

1 source controls mapped|1 target controls covered

US ITAR and EAR — Export Control and Data Security

1 source controls mapped|2 target controls covered

UAE PDPL

1 source controls mapped|1 target controls covered

AICPA SOC 3

1 source controls mapped|1 target controls covered

SWIFT CSP

1 source controls mapped|1 target controls covered

AICPA SOC 1

1 source controls mapped|1 target controls covered

SSAE 18 SOC 1 — Report on Controls at a Service Organisation (ICFR)

1 source controls mapped|1 target controls covered

Utah Consumer Privacy Act

1 source controls mapped|1 target controls covered

Taiwan PDPA

1 source controls mapped|1 target controls covered

Texas Data Privacy Act

1 source controls mapped|1 target controls covered

Uruguay DPL

1 source controls mapped|1 target controls covered

Virginia CDPA

1 source controls mapped|1 target controls covered

Compare FIDO2 and W3C WebAuthn Standard with FDA 21 CFR Part 11

Frequently Asked Questions

What is FIDO2 and W3C WebAuthn Standard?

FIDO2 and W3C WebAuthn Standard is a compliance framework from International (W3C / FIDO Alliance) with 23 domains and 43 controls. FIDO2 (Fast IDentity Online) comprises the W3C Web Authentication (WebAuthn) specification and the FIDO Alliance Client-to-Authenticator Protocol (CTAP). WebAuthn Level 3 (2025) enables passwordless authentication using public key cryptography. Authenticators include platform authenticators (biometrics), roaming authenticators (security keys), and passkeys (synced credentials). Supported by all major browsers and operating systems. Over 15 billion accounts enabled for passkey sign-in. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does FIDO2 and W3C WebAuthn Standard have?

FIDO2 and W3C WebAuthn Standard has 43 controls organised across 23 domains. The largest domains are Authenticator Requirements (CTAP2) (5 controls), Security and Privacy Requirements (5 controls), Attestation and Trust (4 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does FIDO2 and W3C WebAuthn Standard map to?

FIDO2 and W3C WebAuthn Standard maps to 311 other compliance frameworks. The top mapping partners are FDA 21 CFR Part 11 (7% coverage), CNCF Cloud Native Security (Cloud Native Computing Foundation) (7% coverage), HL7 FHIR Security Framework (7% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with FIDO2 and W3C WebAuthn Standard compliance?

Start your FIDO2 and W3C WebAuthn Standard compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about FIDO2 and W3C WebAuthn Standard requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 43 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.

Get Started Free →

Free forever — no credit card required