A device that can generate and optionally store PKI credentials in FIDO format


Data returned from the authenticator proving possession of the private key along with other metadata


Data returned from the authenticator providing data about the authenticator and credentials it stores


FIDO2 comes in two specification sets. One on the device side and the other on the browser side. CTAP is one (on the device side): client to authenticator protocol. This is the device protocol local so you can use an external device as an authenticator regardless of the primary device you are running the verification on.


A protocol to optimize the platform support. Main challenge is how to get millions of phones that already ship out of the box FIDO UAF support but can we get all of them. Can we get ubiquity for every android device, every windows device, every web browser? If so then this is a huge step towards a passwordless world.


One time Authentication.

Relying Party

The web application that requests and consumes the result of FIDO authentication. Can be an identity provider/SSO service or any other external authentication application.


Universal Second Factor (U2F).With U2F the service optionally can request a second factor at any time they choose. In this case, the user would have to have a fob, USB, or second device in order to login/register. This increases the chances that it's only you accessing this account since you would have to have more than one of your devices in order to login. The newest implementation is more secure than an old school time based, 6 digit codes since the cryptographic key being stored is only authorized with the website you set it to. It makes phishing with look-alike requests more difficult to accomplish.


Universal Authentication Framework (UAF) is meant as a replacement for simple authentication. With UAF, the user authenticates a device with the website, and then uses a biometric from that device going forward. The user then only needs to authenticate locally from that device going forward. The website can choose whether or not it will continue to store a password (seems dumb, but it's a choice the site can make).

User presence

The physical gesture used to determine a person is physically present

User verification

Process local to the authenticator to allow the generation of new credentials or sign a message with existing credentials. Can be a PIN, biometric, etc.


FIDO2 comes in two specification sets. One on the device side and the other on the browser side. WebAthn is one (on the browser side) Web API that brings in the FIDO authentication to the web browser.