Passkeys / FIDO2 / WebAuthn
Passwordless authentication based on public-key cryptography, delivered through WebAuthn (W3C) and CTAP (FIDO).
Overview
Passkeys implement passwordless login using public-key cryptography. Users authenticate with a device-bound credential and local user verification (biometric or PIN), via the WebAuthn API and CTAP protocols.
How it works
- Registration: Site asks for a new credential via WebAuthn; an authenticator creates a key pair and returns a public key + attestation.
- Authentication: Site sends a challenge. Authenticator signs it with the private key after local user verification.
- Device portability: Platform sync or roaming authenticators (security keys) enable use across devices in line with vendor policies.
Common use cases
- Consumer sign-in replacing passwords
- Workforce phishing-resistant MFA
- Step-up auth for high-risk transactions
Strengths and limitations
Strengths: Phishing resistance; no shared secrets; fast UX.
Limitations: Cross-ecosystem portability; attestation policy; account recovery patterns.
Key terms
- WebAuthn: W3C API for creating/using credentials.
- CTAP: FIDO protocol between client and authenticator.
- Attestation: Evidence about the authenticator model/security.
References
Vendors using Passkeys / FIDO2 / WebAuthn
Latest Data Cards
Data Card Aware announces third-party testing results across PAD, bias testing, DHS RIVR, and passkey readiness
2026-02-17CC-BY-4.0padpasskeys-webauthnfacial-recognitionawareAware released external validation results across ISO/IEC 30107-3 Level 2 presentation attack detection, ISO/IEC 19795-10 bias testing, DHS Rapid Identity Verification Rally participation, and FIDO2 passkey readiness.
- Aware achieved ISO/IEC 30107-3 Level 2 PAD certification, covering advanced presentation attack scenarios.
- The company also demonstrated ISO/IEC 19795-10 bias testing compliance and FIDO2 passkey readiness.
- DHS RIVR participation builds on Aware's top performance in prior DHS security testing announced in June 2025.
Data Card Swissbit Adds HID Seos Support to iShield Key 2, Expands Enterprise Passkey Use
2025-12-12CC-BY-4.0passkeys-webauthnswissbitSwissbit added HID Seos support to its iShield Key 2 portfolio, positioning a single enterprise token for both FIDO2/WebAuthn passkeys and physical-access credential deployments.
- The update adds Seos support for physical access systems alongside FIDO2 authentication capabilities.
- Swissbit describes multiple iShield Key 2 variants, including a Pro version aimed at broader credential use cases.
- The announcement reflects enterprise interest in consolidating logical-access and physical-access credentials.
Data Card Sumitomo Mitsui Trust Bank Moves Mobile Customers to FIDO Cloud Authentication with OneSpan
2025-11-17CC-BY-4.0passkeys-webauthnonespanSumitomo Mitsui Trust Bank is migrating mobile users to phishing‑resistant, FIDO‑based cloud authentication with OneSpan, replacing passwords with passkeys built on WebAuthn/FIDO2.
- Bank‑scale rollout of passkeys for mobile customers
- Cloud authentication built on WebAuthn/FIDO2
- Targets stronger security and simpler sign‑in