FIDO2 Security Keys: A Practical Guide

Key takeaways

• Passwordless authentication: FIDO2 security keys replace traditional passwords with phishing-resistant cryptographic credentials.
• Strong protection: Private keys never leave the device, preventing credential reuse, phishing, and data breach exploitation.
• User-friendly: Supports fast, seamless logins with a tap, PIN, or biometric, while working across browsers, devices, and operating systems.
• Flexible options: Available in USB, NFC, Bluetooth, and biometric formats to fit different environments and needs.
• Best practices: Register multiple keys, enable PIN/biometric checks, keep keys physically secure, and ensure regular updates for compatibility

What is a FIDO2 security key?

A FIDO2 security key is a physical authenticator that enables passwordless login using public-key cryptography. 

A FIDO2 security key is a physical device that supports the FIDO2 standard for passwordless authentication. It replaces traditional passwords with phishing-resistant cryptographic credentials, allowing users to securely log in to online services without typing or storing shared secrets.

These keys act as “roaming authenticators,” meaning they work across different computers and devices. They connect via USB, NFC, or Bluetooth, and also confirm a user’s presence or verification (e.g., pressing a button, entering a PIN, or using a built-in biometric sensor).

Security keys generate and store private cryptographic keys. When logging in, the service being accessed issues a challenge and the security key signs with its private key. The public key, stored with the service provider, is used to verify the signature. This process ensures that the private key never leaves the device,so it cannot be intercepted or exfiltrated.

Recent research from the FIDO Alliance shows that awareness and adoption of passkeys (the user-friendly, FIDO2-based authentication method) is rapidly increasing, with 74% of consumers now familiar with them. Users believe passkeys offer stronger security and greater convenience compared to traditional passwords. 

This shift is driven by an increase in the number of people who have experienced a breach. More than 35% of people experienced account compromises due to password vulnerabilities in the previous year, highlighting the urgent need for phishing-resistant security solutions like FIDO2 keys.

FIDO2 security keys can be used as the sole method of authentication or as part of multi-factor authentication. They are especially useful for high-security environments, supporting both consumer services like Google or Microsoft accounts and enterprise systems through single sign-on platforms.

In this article:

How does FIDO2 work?

FIDO2 works by registering a device-bound key pair and verifying logins with a signed server challenge.

FIDO2 works through a combination of two core protocols:

• WebAuthn: a browser-based API that enables websites and apps to request and manage FIDO2 authentication.
• CTAP2: a protocol that allows external authenticators, such as security keys or mobile devices, to communicate with the client device.

Here’s the typical workflow:

1. Registration
   • The user visits a FIDO2-enabled site or application and chooses a supported authentication method (e.g., security key, fingerprint, or face scan).
   • The authenticator generates a unique key pair: the private key is stored locally on the user’s device or key, and the public key is sent to the service provider.
     
2. Authentication
   • On future logins, the service sends a cryptographic challenge to the user’s device.
   • The user proves their presence by performing the chosen gesture (pressing the key, scanning a fingerprint, etc.).
   • The authenticator signs the challenge with the private key and returns it.
   • The service verifies the signature with the stored public key and grants access.

Because private keys never leave the device and each key pair is unique to the service, FIDO2 authentication is designed to prevent credential reuse, phishing, and man-in-the-middle attacks. It works across major browsers, operating systems, and devices, supporting both platform authenticators (built into the user’s device) and cross-platform authenticators (external security keys or mobile devices).

What are the benefits of FIDO2 security keys?

The main benefits are stronger security, simplified logins, and reduced reliance on passwords.

FIDO2 security keys offer a strong, user-friendly alternative to traditional passwords by using cryptographic credentials that stay on the device. This approach improves security, reduces friction for users, and scales easily across platforms and services. 

Key benefits include:

• Phishing resistance: Prevents attackers from stealing login credentials through fake sites or man-in-the-middle attacks, since private keys never leave the device.
• Data breach protection: Even if a service provider’s database is compromised, stolen public keys cannot be used to log in.
• No password fatigue: Removes the need to create, remember, and reset complex passwords.
• Fast and seamless login: Enables quick sign-ins with a single tap, PIN, or biometric scan.
• Multi-device support: Works across different devices and platforms using standard protocols (USB, NFC, Bluetooth).
• Compliance-aligned: Helps organizations satisfy modern authentication expectations and NIST guidance and supports broader GDPR and HIPAA compliance programs when combined with appropriate controls and processes.
• Scalable for organizations: Can be deployed across multiple systems and users and significantly reduces password policy overhead where FIDO2 is enabled.
• Offline attack prevention: Protects credentials from offline cracking since secrets are never transmitted or stored in centralized databases.

What are the different types of FIDO2 security keys?

FIDO2 security keys come in different formats and capabilities, allowing users and organizations to choose the right balance between convenience, compatibility, and security. Common types include:

• USB security keys: Plug into USB-A or USB-C ports.
• NFC security keys: Tap to sign in on NFC-enabled devices.
• Bluetooth security keys: Pair over Bluetooth for devices without USB or NFC.
• Biometric security keys: Include on-key fingerprint sensors for user verification.
• Multi-protocol keys: Support FIDO2 and other protocols for broader compatibility.
  

Related content: Read our guide to FIDO authentication

What are the best practices for using FIDO2 security keys?

Best practices include registering at least two keys, updating firmware, and storing a spare securely.

Organizations should consider the following practices when adopting FIDO2 keys for securing access to their devices and systems.

Register multiple keys

Never rely on a single registered FIDO2 key for account access. Each account should have at least two keys enrolled, preferably from the start, so users maintain access if their primary key is lost, damaged, or inaccessible.

• Primary + backup strategy: Assign one key for everyday use and keep another locked in a secure location (e.g., a safe at the office or with your IT department).
• Geographic separation: For hybrid or traveling staff, store one key at home and one in the workplace to cover all work environments.
• Shared responsibility: For high-value accounts, such as administrator profiles, keep backups in controlled custody with IT security staff to avoid personal loss affecting business continuity.
• Account recovery advantage: With multiple keys pre-registered, you avoid having to rely on less secure recovery methods like emailed reset links or SMS codes.

Some services allow registering keys of different types (e.g., a hardware USB key and a mobile device-based key) for even greater resilience.

Use the right key type for your needs

FIDO2 authenticators come in two main categories: platform authenticators (built into a device) and roaming authenticators (external, portable hardware). The choice depends on how and where authentication will occur.

• Platform authenticators (e.g., Windows Hello, Apple Touch ID/Face ID, Android Fingerprint) are built into the device. They are quick to use, but they only work on that device. They are best for employees who always use the same assigned workstation or laptop.
• Roaming authenticators (e.g., YubiKey, Hideez Key, NFC-enabled cards) can connect via USB, NFC, or Bluetooth and work across devices. They are essential for users who switch between multiple systems, travel frequently, or use shared workstations.
• Device-bound passkeys are associated with a single piece of hardware and are preferable in high-security or compliance environments according to recent NIST guidance. 
• Synced passkeys, supported by platforms like iCloud Keychain or Google Password Manager, can meet lower assurance requirements and offer greater convenience for personal accounts.

Tip: Match the authenticator type to the security level of the account. High-risk systems (financial records, production servers) should use device-bound keys. Lower-risk accounts (internal knowledge bases) may allow synced passkeys for convenience.

Combine with biometric or PIN verification

A FIDO2 key without local user verification is still secure against remote attacks, but if it’s stolen, someone could use it unless there’s a second layer of protection. Many modern keys allow you to require biometric or PIN verification before signing any authentication request.

• Biometric checks: Built-in fingerprint sensors or face recognition on the key itself ensure only the authorized person can use it.
• Device-specific PINs: If biometrics aren’t available, a PIN tied to the device provides strong protection. This PIN is verified locally by the key and never transmitted, meaning it’s not susceptible to phishing or database leaks.
• Policy enforcement: For highly sensitive systems, mandate that all enrolled keys have user verification enabled, and disallow keys that are configured in “touch-only” mode (no PIN or biometric).

This approach mirrors multi-factor authentication in a single device: something you have (the key) plus something you are or know (biometric or PIN).

Keep keys physically secure

A lost key can’t be used remotely without the private key leaving the device, but in the wrong hands, it could be used for in-person authentication if no PIN or biometric is set.

• Storage: Keep backup keys in a locked cabinet or safe with access limited to authorized staff.
• On-the-go protection: Use keychains, retractable lanyards, or cases to reduce loss during travel. Ruggedized or waterproof models may be appropriate for field work.
• Loss protocols: Have a written process for immediately reporting and revoking a lost or stolen key in the service’s admin console.
• Inventory control: Maintain an up-to-date record of issued keys, including model, serial number, assigned user, and activation date.

Keys should be treated with the same care as company ID badges or building access cards; they are physical access devices for digital systems.

Stay updated and test compatibility

FIDO2 technology evolves rapidly, with manufacturers releasing firmware updates to address security issues, improve performance, and add compatibility with new standards.

• Firmware management: Establish a quarterly or semi-annual schedule for checking and applying updates from the vendor. Some keys require connecting to a desktop app for updates.
• Pre-deployment testing: Before issuing keys organization-wide, verify they work with all required operating systems, browsers, and applications.
• Legacy system considerations: If your environment includes older systems that don’t natively support FIDO2, test fallback authentication methods and document them. This prevents scenarios where users are locked out due to incompatibility.
• Vendor diversification: Test keys from more than one vendor to avoid dependence on a single supply chain, which can be important in regulated or mission-critical environments.

Implementing FIDO2 authentication with Frontegg

Frontegg makes it easier to roll out FIDO2 security keys across your organization without adding to your engineering backlog. Our low-code CIAM platform gives product, infosec, and support teams the autonomy to enforce secure, passwordless authentication while developers stay focused on building core features.

With built-in support for USB, NFC, and Bluetooth-based FIDO2 keys, Frontegg lets you standardize strong authentication across devices and users. Frontegg provides built-in FIDO2 support and admin tooling so teams can enable passwordless authentication with only light configuration. 

Centralized logs, lifecycle management, and intuitive admin tools ensure that identity remains both distributed and controlled. The result is stronger security, happier teams, and significantly less developer toil.

Try it today. 

Glossary of terms

• FIDO2: A set of open authentication standards combining WebAuthn and CTAP2 to enable passwordless, phishing-resistant login.
• WebAuthn: A W3C standard API that allows browsers and web apps to register and authenticate users with FIDO2 credentials.
• CTAP2: Client to Authenticator Protocol 2, which enables communication between an authenticator (like a security key) and a client device.
• MFA: Multi-Factor Authentication, requiring two or more independent methods (such as a password plus a FIDO2 key) to verify identity.
• CIAM: Customer Identity and Access Management, systems that manage user identities and authentication across digital services.