FIDO2 is one of the protocols provided by the FIDO alliance to enable easy-to-use solutions for passwordless authentication. It allows users to use their devices and authenticators to authenticate in online services without the need to enter a password. It can be accomplished both on their desktop and in mobile environments.
FIDO2 clients can be an Android application, a desktop application, or a web browser, which can communicate with authenticators to perform FIDO2 operations — registration of an authenticator and authentication. Deregistration can also be supported but has to be handled on the relying party side (for example removing registered keys from a data storage on the server). All major web browsers provide support for the client API (WebAuthn API) by exposing native functions to perform necessary operations.
A FIDO2-based application can also interact with authenticators supporting other FIDO protocols by using the Client to Authenticator Protocol (CTAP).
FIDO2 architecture overview
Client side
- Relying party application. This is the web application that is running on the client device. It can be a JavaScript application or other application that has access to browser engines (for example an Android application which runs in a web-view).
- Browser. Provides W3C WebAuthn API standard functions; they can be invoked from relying party applications to perform FIDO2 operations.
- Platform (operating system). Responsible for communicating with the authenticator.
Authenticator. This can be one of the following:
- Internal authenticator or Platform authenticator. An authenticator built into the platform device.
- External authenticator or Cross-Platform. This can be, for instance, a hardware security key that is connected through USB, NFC, or Bluetooth to your device.
Server side
- Relying party application server. Server that is responsible for handling the relying party domain logic.
- FIDO Server. Server that is responsible for performing FIDO2 operations.
- Metadata service. Responsible for providing metadata for given authenticators. This is typically used as a trust anchor during FIDO2 operations.