Back to Frameworks
FIDO2 / WebAuthn - Passwordless Authentication Standard
International (FIDO Alliance/W3C)
vLevel 2 (2024)
20 domains
32 controls
FIDO2 is the passwordless authentication standard developed by the FIDO Alliance and W3C. FIDO2 consists of two components: WebAuthn (W3C Web Authentication API) and CTAP2 (Client-to-Authenticator Protocol). FIDO2 enables passwordless, phishing-resistant authentication using public key cryptography. Supported by all major browsers (Chrome, Firefox, Safari, Edge), operating systems (Windows Hello, macOS/iOS Face ID/Touch ID, Android biometrics), and platforms (Google Passkeys, Apple Passkeys, Microsoft Passkeys). Over 12 billion accounts can use FIDO2. FIDO Alliance has 300+ member companies. FIDO2 passkeys are the recommended replacement for passwords by NIST, CISA, and ENISA.
Unverified
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (20)
Assurance
1 controls
| Code | Title |
|---|---|
| FIDO2-WAUTH-20 | FIDO Certification of Server and Client Components |
Authentication Assurance
2 controls
| Code | Title |
|---|---|
| FIDO2-WAUTH-3 | User Verification Requirement |
| FIDO2-WAUTH-5 | Authenticator Attachment Modality |
Authenticator Integrity
1 controls
| Code | Title |
|---|---|
| FIDO2-WAUTH-10 | Counter and Clone Detection |
Authenticator Registration
1 controls
| Code | Title |
|---|---|
| FIDO2-WAUTH-2 | Attestation Conveyance Preference |
Authenticator Trust
1 controls
| Code | Title |
|---|---|
| FIDO2-WAUTH-15 | Enterprise Attestation and AAGUID Allowlisting |
CTAP2 (Client to Authenticator Protocol)
4 controls
| Code | Title |
|---|---|
| FIDO2-2.1 | Authenticator API |
| FIDO2-2.2 | Transport Bindings |
| FIDO2-2.3 | PIN/UV Protocol |
| FIDO2-2.4 | Credential Management |
Credential Storage
1 controls
| Code | Title |
|---|---|
| FIDO2-WAUTH-4 | Resident Key and Discoverable Credentials |
Cryptographic Protocol
2 controls
| Code | Title |
|---|---|
| FIDO2-WAUTH-8 | Challenge Generation and Validation |
| FIDO2-WAUTH-9 | Algorithm Negotiation and Supported COSE Algorithms |
Implementation
1 controls
| Code | Title |
|---|---|
| FIDO2-WAUTH-17 | Browser and Platform Compatibility Testing |
Lifecycle
4 controls
| Code | Title |
|---|---|
| FIDO2-WAUTH-11 | Credential Lifecycle Management |
| FIDO2-WAUTH-12 | Multi-Credential Per User and Recovery Tokens |
| FIDO2-WAUTH-16 | Account Recovery Without Password Fallback |
| FIDO2-WAUTH-7 | Passkey Synchronization and Recovery |
Operations
1 controls
| Code | Title |
|---|---|
| FIDO2-WAUTH-19 | Logging, Monitoring, and SIEM Integration |
Passkey and Platform Integration
3 controls
| Code | Title |
|---|---|
| FIDO2-4.1 | Discoverable Credentials (Passkeys) |
| FIDO2-4.2 | Platform Authenticator Integration |
| FIDO2-4.3 | Cross-Device Authentication |
Privacy
1 controls
| Code | Title |
|---|---|
| FIDO2-WAUTH-18 | Privacy and Cross-Site Tracking Mitigations |
Programmatic Adoption
1 controls
| Code | Title |
|---|---|
| FIDO2-WAUTH-21 | Migration from Password and TOTP |
Relying Party Configuration
1 controls
| Code | Title |
|---|---|
| FIDO2-WAUTH-1 | Relying Party Identifier and Origin Binding |
Security Requirements
0 controls
QKD module and network security
Threat Model
1 controls
| Code | Title |
|---|---|
| FIDO2-WAUTH-13 | Anti-Phishing Property Verification |
Transport
1 controls
| Code | Title |
|---|---|
| FIDO2-WAUTH-6 | Hybrid Transport Cross Device Authentication (caBLE) |
User Experience
1 controls
| Code | Title |
|---|---|
| FIDO2-WAUTH-14 | Conditional UI (Autofill) Implementation |
WebAuthn API (W3C)
4 controls
| Code | Title |
|---|---|
| FIDO2-1.1 | Credential Creation (Registration) |
| FIDO2-1.2 | Credential Assertion (Authentication) |
| FIDO2-1.3 | Attestation |
| FIDO2-1.4 | Extensions |
Your Compliance Coverage
If you comply with FIDO2 / WebAuthn - Passwordless Authentication Standard, you already cover:
US Maritime Transportation Security Act (MTSA) and USCG Cybersecurity Requirements
9%
3 controls mapped
Compare →FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011)
9%
3 controls mapped
Compare →OWASP DevSecOps Maturity Model (DSOMM)
9%
3 controls mapped
Compare →+ 135 more: EMV 3‑D Secure (3DS) - Payment Authentication Protocol (9%), ISO/IEC 29115:2023 - Entity Authentication Assurance Framework (9%)
See all 138 mapped frameworks ↓Maps to 138 other frameworks
32 total controls
US Maritime Transportation Security Act (MTSA) and USCG Cybersecurity Requirements
3 source controls mapped|1 target controls covered
9%
FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011)
3 source controls mapped|3 target controls covered
9%
OWASP DevSecOps Maturity Model (DSOMM)
3 source controls mapped|1 target controls covered
9%
EMV 3‑D Secure (3DS) - Payment Authentication Protocol
3 source controls mapped|3 target controls covered
9%
ISO/IEC 29115:2023 - Entity Authentication Assurance Framework
3 source controls mapped|3 target controls covered
9%
ETSI EN 303 645
3 source controls mapped|1 target controls covered
9%
SWIFT CSCF
3 source controls mapped|1 target controls covered
9%
ISO 19011
3 source controls mapped|2 target controls covered
9%
ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence
3 source controls mapped|2 target controls covered
9%
ISO 13485
3 source controls mapped|2 target controls covered
9%
SWIFT CSCF v2024
3 source controls mapped|1 target controls covered
9%
OWASP ASVS
3 source controls mapped|1 target controls covered
9%
US EPA Safe Drinking Water Act (SDWA) - Cybersecurity Requirements
3 source controls mapped|1 target controls covered
9%
Digital Economy Partnership Agreement (DEPA)
3 source controls mapped|1 target controls covered
9%
BSI IT-Grundschutz
3 source controls mapped|1 target controls covered
9%
NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements
3 source controls mapped|2 target controls covered
9%
ISO/IEC 23837 - Security Requirements for Quantum Key Distribution
3 source controls mapped|1 target controls covered
9%
Regulation on the European Health Data Space (EHDS)
3 source controls mapped|1 target controls covered
9%
NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI)
3 source controls mapped|3 target controls covered
9%
HL7 FHIR Security Framework
3 source controls mapped|3 target controls covered
9%
ASD Strategies to Mitigate Cyber Security Incidents
3 source controls mapped|2 target controls covered
9%
DFARS 252.204-7012 - Safeguarding Covered Defense Information
3 source controls mapped|3 target controls covered
9%
Illinois Biometric Information Privacy Act (BIPA)
3 source controls mapped|3 target controls covered
9%
NAIC Insurance Data Security Model Law (MDL-668)
3 source controls mapped|3 target controls covered
9%
Modern Slavery Act 2018 (Australia)
3 source controls mapped|3 target controls covered
9%
AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)
3 source controls mapped|1 target controls covered
9%
TEFCA - Trusted Exchange Framework and Common Agreement
3 source controls mapped|2 target controls covered
9%
DAMA-DMBOK2 - Data Management Body of Knowledge (2nd Edition)
3 source controls mapped|1 target controls covered
9%
FDA 21 CFR Part 11
3 source controls mapped|1 target controls covered
9%
OWASP API Security Top 10 - 2023
3 source controls mapped|1 target controls covered
9%
CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0
3 source controls mapped|3 target controls covered
9%
USMCA Chapter 19 - Digital Trade (United States-Mexico-Canada Agreement)
3 source controls mapped|1 target controls covered
9%
EN 301 549 - ICT Accessibility Requirements
3 source controls mapped|1 target controls covered
9%
Bank Secrecy Act / Anti-Money Laundering (BSA/AML)
3 source controls mapped|1 target controls covered
9%
MITRE D3FEND
3 source controls mapped|1 target controls covered
9%
IACS Unified Requirements E26/E27 - Cyber Resilience of Ships and On-Board Systems
3 source controls mapped|1 target controls covered
9%
US Consumer Product Safety Commission (CPSC) - Connected Product Safety
3 source controls mapped|1 target controls covered
9%
AML/CTF Act 2006 (Australia)
3 source controls mapped|1 target controls covered
9%
Vermont Artificial Intelligence and Consumer Data Act (AICDA)
3 source controls mapped|2 target controls covered
9%
EBA Guidelines on ICT and Security Risk Management (EBA/GL/2024/07)
3 source controls mapped|1 target controls covered
9%
ISO/IEC 27400:2022
3 source controls mapped|1 target controls covered
9%
AWS Well-Architected Security Pillar
3 source controls mapped|1 target controls covered
9%
Proposal for a Regulation on Cyber Resilience Act (CRA)
3 source controls mapped|1 target controls covered
9%
eIDAS 2.0 - EU Digital Identity Regulation
3 source controls mapped|1 target controls covered
9%
DoD Zero Trust Reference Architecture
3 source controls mapped|1 target controls covered
9%
Azure Security Benchmark
3 source controls mapped|1 target controls covered
9%
Spain ENS
3 source controls mapped|1 target controls covered
9%
Armenia Law on Protection of Personal Data (2015)
3 source controls mapped|1 target controls covered
9%
OWASP Top 10:2025
3 source controls mapped|2 target controls covered
9%
Lebanon Electronic Transactions and Personal Data Protection Law (Law No. 81/2018)
3 source controls mapped|2 target controls covered
9%
Wisconsin Data Privacy Act (SB 670)
3 source controls mapped|3 target controls covered
9%
Tennessee Information Protection Act (TIPA)
3 source controls mapped|2 target controls covered
9%
Russia Federal Law on Personal Data (152-FZ)
3 source controls mapped|1 target controls covered
9%
EU Cyber Solidarity Act (Regulation (EU) 2025/38)
3 source controls mapped|1 target controls covered
9%
Regulation (EU) 2019/1239 on the Maritime Single Window (MSW)
3 source controls mapped|1 target controls covered
9%
FedRAMP Rev 5
3 source controls mapped|2 target controls covered
9%
NIST SP 800-53 Rev 5
3 source controls mapped|3 target controls covered
9%
DISA Security Technical Implementation Guides (STIGs)
3 source controls mapped|3 target controls covered
9%
PAS 1192-5:2015 - Security-Minded Approach to BIM and Digital Built Environments
3 source controls mapped|2 target controls covered
9%
New Zealand Information Security Manual (NZISM)
3 source controls mapped|2 target controls covered
9%
MARS-E - Minimum Acceptable Risk Standards for Exchanges
3 source controls mapped|2 target controls covered
9%
South Korea Cloud Security Assurance Program (CSAP)
3 source controls mapped|2 target controls covered
9%
NRC 10 CFR 73.54 - Nuclear Facility Cybersecurity
3 source controls mapped|2 target controls covered
9%
UK Gambling Commission - Cyber Resilience Requirements
3 source controls mapped|1 target controls covered
9%
NIST Privacy Framework 1.0
3 source controls mapped|2 target controls covered
9%
US Executive Order 14028 - Improving the Nation's Cybersecurity
3 source controls mapped|1 target controls covered
9%
OWASP MASVS
3 source controls mapped|1 target controls covered
9%
OpenSSF Scorecard
3 source controls mapped|1 target controls covered
9%
SSDF (NIST)
3 source controls mapped|1 target controls covered
9%
NIST SP 800-137
3 source controls mapped|1 target controls covered
9%
O-RAN WG11 Security Specification
3 source controls mapped|1 target controls covered
9%
NIST SP 800-146
3 source controls mapped|1 target controls covered
9%
Ghana Cybersecurity Act
3 source controls mapped|1 target controls covered
9%
UK Telecommunications (Security) Act 2021
3 source controls mapped|1 target controls covered
9%
FIDO2 and W3C WebAuthn Standard
3 source controls mapped|3 target controls covered
9%
IATA Operational Safety Audit (IOSA) Standards Manual
3 source controls mapped|2 target controls covered
9%
W3C Verifiable Credentials (VC) Data Model 2.0
3 source controls mapped|3 target controls covered
9%
ISMAP (Japan)
3 source controls mapped|1 target controls covered
9%
OWASP Top 10 for LLM Applications 2025
3 source controls mapped|2 target controls covered
9%
PropTech Security Standards - Smart Building Cybersecurity
3 source controls mapped|2 target controls covered
9%
Florida Digital Bill of Rights (SB 262)
3 source controls mapped|2 target controls covered
9%
South Korea ISMS-P
3 source controls mapped|1 target controls covered
9%
MTCS (Singapore)
3 source controls mapped|1 target controls covered
9%
RFC 2350 - Expectations for Computer Security Incident Response (BCP 21)
3 source controls mapped|1 target controls covered
9%
SSAE 18 - Attestation Standards (SOC Reporting)
3 source controls mapped|1 target controls covered
9%
Secure by Design: A Guide for Manufacturers (CISA)
3 source controls mapped|3 target controls covered
9%
NIST Privacy Framework Version 1.0
3 source controls mapped|1 target controls covered
9%
ISO 27017
3 source controls mapped|1 target controls covered
9%
SWIFT Customer Security Programme (CSP)
3 source controls mapped|3 target controls covered
9%
UK Open Banking Standard
3 source controls mapped|3 target controls covered
9%
Zimbabwe Data Protection Act (2021)
3 source controls mapped|1 target controls covered
9%
EU Payment Services Directive (PSD2)
3 source controls mapped|3 target controls covered
9%
NIST SP 800-124 Revision 2 - Guidelines for Managing the Security of Mobile Devices
3 source controls mapped|1 target controls covered
9%
NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment)
3 source controls mapped|1 target controls covered
9%
NIST SP 800-92
3 source controls mapped|1 target controls covered
9%
TSA Pipeline Cybersecurity Directives
3 source controls mapped|1 target controls covered
9%
UK PSTI Act
3 source controls mapped|1 target controls covered
9%
Saudi NCA ECC
3 source controls mapped|1 target controls covered
9%
NIST SP 800-190
3 source controls mapped|1 target controls covered
9%
SIG (Shared Assessments)
3 source controls mapped|1 target controls covered
9%
Sigstore - Software Artifact Signing and Verification
3 source controls mapped|1 target controls covered
9%
MITRE ATT&CK
3 source controls mapped|1 target controls covered
9%
ISO 27001:2022
3 source controls mapped|2 target controls covered
9%
TSA Pipeline Security
3 source controls mapped|1 target controls covered
9%
GLI-33 - Gaming Laboratories International Event Wagering Systems
3 source controls mapped|1 target controls covered
9%
ITU-T X.805 - Security Architecture for End-to-End Communications
3 source controls mapped|1 target controls covered
9%
FTC GLBA Safeguards Rule (16 CFR Part 314)
3 source controls mapped|1 target controls covered
9%
NIST SP 800-61
3 source controls mapped|1 target controls covered
9%
NIST SP 800-82 Revision 3: Guide to Industrial Control Systems (ICS) Security
3 source controls mapped|2 target controls covered
9%
NIST SP 800-144
3 source controls mapped|1 target controls covered
9%
MDS2 (Medical Device)
3 source controls mapped|1 target controls covered
9%
FAA Cybersecurity Framework for Aviation
3 source controls mapped|1 target controls covered
9%
Oman National Cybersecurity Framework
3 source controls mapped|1 target controls covered
9%
NIST SP 800-66
3 source controls mapped|1 target controls covered
9%
FISMA
3 source controls mapped|1 target controls covered
9%
TISAX - Trusted Information Security Assessment Exchange
3 source controls mapped|1 target controls covered
9%
FTC Safeguards Rule (16 CFR Part 314)
3 source controls mapped|1 target controls covered
9%
OWASP SAMM
3 source controls mapped|1 target controls covered
9%
3GPP 5G Security Architecture (TS 33.501)
3 source controls mapped|1 target controls covered
9%
ISO 27043
3 source controls mapped|1 target controls covered
9%
NIST Cybersecurity Framework 2.0
3 source controls mapped|2 target controls covered
9%
ISO 27018
3 source controls mapped|1 target controls covered
9%
UNECE WP.29 R156
3 source controls mapped|1 target controls covered
9%
IRS Publication 1075 - Tax Information Security Guidelines
3 source controls mapped|1 target controls covered
9%
Regional Comprehensive Economic Partnership (RCEP) - E-Commerce Chapter
3 source controls mapped|1 target controls covered
9%
ISO/SAE 21434
3 source controls mapped|1 target controls covered
9%
ISO 27799
3 source controls mapped|1 target controls covered
9%
NIS2 Directive Implementing Acts
3 source controls mapped|1 target controls covered
9%
FBI CJIS Security Policy
3 source controls mapped|1 target controls covered
9%
UNECE WP.29 R155
3 source controls mapped|1 target controls covered
9%
NIST SP 800-123
3 source controls mapped|1 target controls covered
9%
NIST SP 800-88
3 source controls mapped|1 target controls covered
9%
NIST SP 800-145
3 source controls mapped|1 target controls covered
9%
MARS-E
3 source controls mapped|1 target controls covered
9%
WCAG 2.2
3 source controls mapped|2 target controls covered
9%
NIST SP 800-63-4
3 source controls mapped|1 target controls covered
9%
SLSA
3 source controls mapped|1 target controls covered
9%
PTES
3 source controls mapped|1 target controls covered
9%
Frequently Asked Questions
What is FIDO2 / WebAuthn - Passwordless Authentication Standard?
FIDO2 / WebAuthn - Passwordless Authentication Standard is a compliance framework from International (FIDO Alliance/W3C) with 20 domains and 32 controls. FIDO2 is the passwordless authentication standard developed by the FIDO Alliance and W3C. FIDO2 consists of two components: WebAuthn (W3C Web Authentication API) and CTAP2 (Client-to-Authenticator Protocol). FIDO2 enables passwordless, phishing-resistant authentication using public key cryptography. Supported by all major browsers (Chrome, Firefox, Safari, Edge), operating systems (Windows Hello, macOS/iOS Face ID/Touch ID, Android biometrics), and platforms (Google Passkeys, Apple Passkeys, Microsoft Passkeys). Over 12 billion accounts can use FIDO2. FIDO Alliance has 300+ member companies. FIDO2 passkeys are the recommended replacement for passwords by NIST, CISA, and ENISA. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does FIDO2 / WebAuthn - Passwordless Authentication Standard have?
FIDO2 / WebAuthn - Passwordless Authentication Standard has 32 controls organised across 20 domains. The largest domains are CTAP2 (Client to Authenticator Protocol) (4 controls), Lifecycle (4 controls), WebAuthn API (W3C) (4 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does FIDO2 / WebAuthn - Passwordless Authentication Standard map to?
FIDO2 / WebAuthn - Passwordless Authentication Standard maps to 138 other compliance frameworks. The top mapping partners are US Maritime Transportation Security Act (MTSA) and USCG Cybersecurity Requirements (9% coverage), FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011) (9% coverage), OWASP DevSecOps Maturity Model (DSOMM) (9% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with FIDO2 / WebAuthn - Passwordless Authentication Standard compliance?
Start your FIDO2 / WebAuthn - Passwordless Authentication Standard compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about FIDO2 / WebAuthn - Passwordless Authentication Standard requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 32 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required