FIDO2 / WebAuthn
FIDO2 is the joint FIDO Alliance + W3C standard for passwordless + phishing-resistant authentication composed of: (a) W3C WEB AUTHENTICATION (WebAuthn) Level 3 Recommendation - the browser + relying party API for public-key credential creation + authentication; (b) FIDO CLIENT-TO-AUTHENTICATOR PROTOCOL 2.1 (CTAP2.1) - the protocol between client devices + roaming or platform authenticators; (c) FIDO METADATA SERVICE v3 (MDS3) - the trust + attestation metadata for authenticators including AAGUIDs + status reports + transports + algorithms; (d) DISCOVERABLE CREDENTIALS / PASSKEYS - resident-credential storage on authenticators enabling passwordless workflows + cross-device synchronisation via iCloud Keychain + Google Password Manager + Windows Hello + 1Password / Bitwarden / Dashlane. Core security properties: PHISHING RESISTANCE through origin binding + RP ID validation + channel binding; UNPHISHABLE WITHOUT USER INTERVENTION (no shared secrets); BIOMETRICS + PIN VERIFICATION local to the authenticator (never transmitted); REPLAY RESISTANCE through challenge-based protocol + signature counter + anti-replay timestamping; ENTERPRISE ATTESTATION + AAGUID ALLOWLISTING for managed-device deployments. Adoption: all major browsers (Chrome + Edge + Firefox + Safari) + operating systems (Windows 11 + macOS + iOS + Android) + leading IdPs (Microsoft Entra + Google + Okta + Ping) support FIDO2/WebAuthn. 2023-2025 PASSKEY launch by Apple + Google + Microsoft with cross-device synchronisation + hybrid transport (formerly caBLE) for QR-code-based phone-to-laptop auth. FIDO Alliance certification programs: FIDO2 Server + Authenticator + UAF Server + Authenticator + U2F Server + Authenticator + Biometric Component. FIDO2/WebAuthn is the foundation for NIST SP 800-63B AAL3 phishing-resistant authentication + the basis for executive-order-mandated US federal MFA (M-22-09 + the 2024 ZTA strategy). Coordinated standards: OAuth 2.0 + OpenID Connect + SAML for the federation layer above WebAuthn; W3C Verifiable Credentials for the credential-presentation layer; FIDO Device Onboarding (FDO) for IoT.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
FIDO2/WebAuthn: Attestation, Metadata Service (MDS3) and Trust
| Code | Title |
|---|---|
| FIDO2-Attestation | Attestation Statement Formats and Verification |
| FIDO2-Enterprise-Attestation | Enterprise Attestation and AAGUID Allowlisting |
| FIDO2-MetadataService-MDS | FIDO Metadata Service v3 (MDS3) - AAGUID Trust + Status Reports |
FIDO2/WebAuthn: Authenticators, Passkeys and User Verification
| Code | Title |
|---|---|
| FIDO2-Passkey-Discoverable | Passkeys (Discoverable Credentials) and Account Recovery |
| FIDO2-UserVerification | User Verification (UV) - PIN, Biometrics and Multi-Factor Inside Authenticator |
FIDO2/WebAuthn: CTAP2.1 Client-to-Authenticator Protocol
| Code | Title |
|---|---|
| FIDO2-CTAP2-PIN-UV | CTAP2 PIN, User Verification (UV) and PIN/UV Auth Tokens |
| FIDO2-CTAP2-Transport | CTAP2 Transports (USB-HID, NFC, BLE, Hybrid / caBLE, Platform-internal) |
| FIDO2-CTAP2.1-API | FIDO CTAP2.1 Authenticator API Commands and Credential Management |
FIDO2/WebAuthn: FIDO Alliance Certification, Adoption and Status
| Code | Title |
|---|---|
| FIDO2-FIDO-Certification | FIDO Alliance Certification Programs - Authenticator + Server + Biometric Component |
| FIDO2-Status | FIDO2/WebAuthn Implementation Status, Passkey Adoption and 2024-2025 Trends |
FIDO2/WebAuthn: Registration and Authentication Ceremonies
| Code | Title |
|---|---|
| FIDO2-Authentication-Ceremony | WebAuthn Authentication Ceremony (Credential Assertion) |
| FIDO2-Registration-Ceremony | WebAuthn Registration Ceremony (Credential Creation) |
FIDO2/WebAuthn: Relying Party Implementation, Phishing Resistance and Security
| Code | Title |
|---|---|
| FIDO2-Phishing-Resistance | Phishing Resistance, Channel Binding, Anti-Replay and Privacy |
| FIDO2-RP-Identity | Relying Party Identifier, Origin Binding, Cross-Origin and Conditional UI |
FIDO2/WebAuthn: WebAuthn API (W3C Web Authentication Level 3 Recommendation)
| Code | Title |
|---|---|
| FIDO2-WebAuthn-API-L3 | W3C WebAuthn Level 3 API (PublicKeyCredential + navigator.credentials) |
| FIDO2-WebAuthn-CredentialOptions | PublicKeyCredentialCreationOptions + RequestOptions (registration + authentication parameters) |
Your Compliance Coverage
If you comply with FIDO2 / WebAuthn, you already cover:
MITRE D3FEND
13%
2 controls mapped
Compare →IACS Unified Requirements E26/E27 - Cyber Resilience of Ships and On-Board Systems
13%
2 controls mapped
Compare →HL7 FHIR Security Framework
13%
2 controls mapped
Compare →+ 167 more: ISO/IEC 23837 - Security Requirements for Quantum Key Distribution (13%), TEFCA - Trusted Exchange Framework and Common Agreement (13%)
See all 170 mapped frameworks ↓Maps to 170 other frameworks
Frequently Asked Questions
What is FIDO2 / WebAuthn?
FIDO2 / WebAuthn is a compliance framework from International (FIDO Alliance/W3C) with 7 domains and 16 controls. FIDO2 is the joint FIDO Alliance + W3C standard for passwordless + phishing-resistant authentication composed of: (a) W3C WEB AUTHENTICATION (WebAuthn) Level 3 Recommendation - the browser + relying party API for public-key credential creation + authentication; (b) FIDO CLIENT-TO-AUTHENTICATOR PROTOCOL 2.1 (CTAP2.1) - the protocol between client devices + roaming or platform authenticators; (c) FIDO METADATA SERVICE v3 (MDS3) - the trust + attestation metadata for authenticators including AAGUIDs + status reports + transports + algorithms; (d) DISCOVERABLE CREDENTIALS / PASSKEYS - resident-credential storage on authenticators enabling passwordless workflows + cross-device synchronisation via iCloud Keychain + Google Password Manager + Windows Hello + 1Password / Bitwarden / Dashlane. Core security properties: PHISHING RESISTANCE through origin binding + RP ID validation + channel binding; UNPHISHABLE WITHOUT USER INTERVENTION (no shared secrets); BIOMETRICS + PIN VERIFICATION local to the authenticator (never transmitted); REPLAY RESISTANCE through challenge-based protocol + signature counter + anti-replay timestamping; ENTERPRISE ATTESTATION + AAGUID ALLOWLISTING for managed-device deployments. Adoption: all major browsers (Chrome + Edge + Firefox + Safari) + operating systems (Windows 11 + macOS + iOS + Android) + leading IdPs (Microsoft Entra + Google + Okta + Ping) support FIDO2/WebAuthn. 2023-2025 PASSKEY launch by Apple + Google + Microsoft with cross-device synchronisation + hybrid transport (formerly caBLE) for QR-code-based phone-to-laptop auth. FIDO Alliance certification programs: FIDO2 Server + Authenticator + UAF Server + Authenticator + U2F Server + Authenticator + Biometric Component. FIDO2/WebAuthn is the foundation for NIST SP 800-63B AAL3 phishing-resistant authentication + the basis for executive-order-mandated US federal MFA (M-22-09 + the 2024 ZTA strategy). Coordinated standards: OAuth 2.0 + OpenID Connect + SAML for the federation layer above WebAuthn; W3C Verifiable Credentials for the credential-presentation layer; FIDO Device Onboarding (FDO) for IoT. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does FIDO2 / WebAuthn have?
FIDO2 / WebAuthn has 16 controls organised across 7 domains. The largest domains are FIDO2/WebAuthn: Attestation, Metadata Service (MDS3) and Trust (3 controls), FIDO2/WebAuthn: CTAP2.1 Client-to-Authenticator Protocol (3 controls), FIDO2/WebAuthn: Authenticators, Passkeys and User Verification (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does FIDO2 / WebAuthn map to?
FIDO2 / WebAuthn maps to 170 other compliance frameworks. The top mapping partners are MITRE D3FEND (13% coverage), IACS Unified Requirements E26/E27 - Cyber Resilience of Ships and On-Board Systems (13% coverage), HL7 FHIR Security Framework (13% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with FIDO2 / WebAuthn compliance?
Start your FIDO2 / WebAuthn compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about FIDO2 / WebAuthn requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 16 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 701 frameworks.
Get Started Free →Free forever — no credit card required