FIDO2 vs. WebAuthn: What’s the Difference?

9/13/2023 Jing Gu
80% of web application breaches were caused by stolen credentials in 2022. (This isn’t too surprising, considering two-thirds of Americans use the same password for multiple accounts.)

Moving to passwordless authentication is better for both user experience and security. However, passwordless authentication is frequently evolving. This makes it difficult for security practitioners to understand the nuances. 

Enter FIDO2 and WebAuthn. Let’s look at what they are and how they differ so you implement the protocol that best supports your use cases.

FIDO2: The golden standard in passwordless authentication

FIDO2 is the latest set of strong authentication standards created by the FIDO Alliance. FIDO2 includes two specifications: W3C’s Web Authentication (WebAuthn) and FIDO Alliance’s Client to Authenticator Protocol (CTAP).  

In short: FIDO2 = W3C WebAuthn + CTAP

Understanding FIDO2

FIDO2 standards enable users to authenticate with local device biometrics and roaming authenticators in mobile and web environments with phishing-resistant security. In other words, FIDO2 enables strong, passwordless authentication. 

It does this using specifications defined by the World Wide Web Consortium’s (W3C) WebAuthn and FIDO Alliance’s Client to Authenticator Protocol (CTAP2). 

  • WebAuthn: Defines one standard web API to enable browser users to sign in with a cryptographic key pair. The specification allows strong FIDO Authentication across all web browsers and related web platform infrastructure. 
  • CTAP2: Builds on Universal 2nd Factor (U2F) specifications (renamed CTAP1) and enables browsers and operating systems to talk to external authenticators, like USB-based devices such as security keys, Near Field Communication (NFC), and Bluetooth-enabled devices.

What is the FIDO Alliance?

The FIDO Alliance is an industry association founded in 2012 focused on developing authentication standards to help reduce the world’s over-reliance on passwords. The first FIDO passwordless protocol was released in 2014. 

In 2016, W3C worked with the FIDO Alliance to standardize the next set of specifications (FIDO2) across web browsers and web platform infrastructure. FIDO2 officially launched in 2018 across Google Chrome, Microsoft Edge, and Mozilla Firefox, with Safari iOS and other systems adopting the standards by 2020.

Benefits of FIDO2

FIDO2 has many advantages compared to traditional password authentication:

  • Easy login process and better user experience
  • Stronger security with phishing-resistant authentication
  • Simpler deployment based on open standards makes it easy to adopt

FIDO2 standards make it possible for websites to support passwordless authentication with passkeys for users. This enables a more seamless and secure login experience. Users simply provide their username and either provide their device biometric or PIN or use a security key, and they’re in. 

WebAuthn: the web API that makes passwordless possible

So how does FIDO2 differ from WebAuthn? While the two are related, the terms are not interchangeable. 

Simply put, WebAuthn is a core component of FIDO2. FIDO2 is inclusive of WebAuthn but WebAuthn does not encompass all elements of FIDO2 standards. 

What is WebAuthn?

WebAuthn defines a standard web API that is being built into browsers and platforms to enable users on a browser to sign in with a cryptographic key pair, or a passkey. In other words, it uses public key cryptography to securely register and authenticate devices without passwords. This makes it harder for hackers to steal credentials and eliminates the need to memorize or manage multiple passwords. 

The authenticator creates and stores user credentials on a device, such as a hardware security key or on the user’s device such as a mobile device, tablet, laptop, or desktop. With WebAuthn, there’s no need for a password—users can authenticate with facial recognition or fingerprint scanning.

The FIDO Alliance worked within the W3C’s Web Authentication Working Group to finalize the API, which became known as WebAuthn. WebAuthn was officially recognized as a W3C web standard in March 2019.

WebAuthn’s three main properties

WebAuthn is built on three core properties: 

  1. Strong: Authentication is backed by a Hardware Security Module, ensuring safe and secure storage of private keys. 
  2. Scoped: The key pair must be tied to a specific origin that cannot be altered. This mitigates the threat of phishing. 
  3. Attested: The authenticator provides a digital certificate that servers can verify. 

Together, these properties and WebAuthn’s protocol provide users with a simpler, more convenient way to sign on to their accounts, while offering a variety of secure authentication methods and devices.

Building a passwordless future with FIDO2 and webAuthn 

FIDO2 is the standard for passwordless authentication on the internet. Implementing FIDO2 will allow your company to enjoy modern, phishing-resistant authentication. However, deploying FIDO authentication requires understanding platform differences in WebAuthn support as well as building and maintaining a FIDO2 server. 

If you’d like to enjoy the benefits of FIDO authentication without building it from scratch using industry specifications, get started today with Beyond Identity