What is FIDO2 and How Does It Work? The Protocol Behind YubiKey Explained
FIDO2 is an open authentication standard based on public key cryptography, designed to eliminate password use and make phishing practically useless. It's the protocol that powers YubiKey, passkeys, and your phone's biometric authentication. In this post we explain how it works technically, without needing to be a developer to understand it.
How does FIDO2 work technically?
FIDO2 is based on a pair of cryptographic keys: one public and one private. The private key never leaves the device — it's not sent over the internet, and it's not stored on any server. This is what makes FIDO2 fundamentally different from a password.
🔐 The key pair explained
Private key: generated and stays inside your YubiKey or device. It is never transmitted anywhere.
Public key: sent to the service (Google, GitHub, your bank) when you register the key. The service stores it to verify future authentication attempts.
Result: even if the service's server is hacked, the public key alone doesn't allow anyone to access your account.
The process has two distinct phases:
When you enable FIDO2 on a service, your device generates a new key pair specific to that website. The public key is sent and stored on the server; the private key stays in your YubiKey.
Each time you log in, the service sends a cryptographic challenge. Your device signs it with the private key and returns the signature. The server verifies the signature with the public key it already has stored. If it matches, you're in.
At no point is a password or reusable secret data transmitted — only a signature valid for that specific attempt.
FIDO2 vs U2F vs WebAuthn — are they the same?
The three terms are related but not exact synonyms:
| Protocol | What it is |
|---|---|
| U2F | The original protocol from Yubico and Google (2014). Only worked as a second factor — you needed password + key. |
| WebAuthn | The web standard (W3C) that defines how browsers communicate with authentication devices. It's the "API" that websites use. |
| FIDO2 | The complete set: includes WebAuthn plus the CTAP protocol (how the browser talks to your YubiKey). Allows passwordless login, not just as a second factor. |
In practice, when a modern YubiKey says "FIDO2", it means it's compatible with WebAuthn and can be used both as a second factor (like U2F) and as a complete passwordless login method.
Why FIDO2 is resistant to phishing
The reason FIDO2 stops phishing isn't just that it uses cryptography — it includes domain verification (origin binding). When you register your key on a website, that key is tied exactly to that domain.
⚠️ What happens with a fake website
If someone creates a website identical to your bank but with a different domain (for example, "secure-bank.com" instead of "bank.com"), your YubiKey simply won't respond. The key verifies the domain before signing anything — if it doesn't match, authentication is impossible. This is what makes traditional phishing useless against FIDO2: you can't even "accidentally" enter your credentials on the fake site, because there are no credentials to enter.
This is the fundamental difference from SMS 2FA or authenticator apps: those methods generate a code that you copy and paste — and that code can be stolen or entered on the wrong site. FIDO2 eliminates that step entirely.
What devices support FIDO2?
FIDO2 is not exclusive to YubiKey. These are the most common devices that support it:
YubiKey, Google Titan, and other USB/NFC keys certified for FIDO2. The most secure option because the private key lives on a dedicated chip, isolated from the rest of the system.
Face ID, fingerprint on Android or iPhone. Your phone itself acts as a FIDO2 authenticator, using its integrated security chip.
Facial recognition or fingerprint on laptops with Windows. Works as a built-in FIDO2 authenticator in the operating system.
If you want to better understand what this type of key is physically, see our guide on what a security key is and how it works.
FIDO2 and passkeys — is it the same?
Not exactly, but they're directly related. A passkey is a FIDO2 credential — it uses the same public/private key protocol underneath. The difference is in implementation and user experience:
🔄 The relationship between them
FIDO2: the technical protocol — how keys are generated and verified.
Passkey: the commercial name that Apple, Google, and Microsoft use for FIDO2 credentials that also sync across your devices through the cloud (iCloud Keychain, Google Password Manager).
A YubiKey can also store passkeys — the difference is that with the physical key the private key doesn't sync anywhere, it stays physically on the device.
Frequently asked questions
Does FIDO2 work without the internet?
The cryptographic signing process happens locally on your device, without needing a connection. But to complete the login you need to connect to the service you're authenticating with — the challenge and signature verification do require communication with the server.
Can I lose access to my accounts if I lose my FIDO2 key?
If you only have one key registered and didn't set up an alternative method, yes. That's why it's recommended to always register a second backup key with each service you use FIDO2 with.
Do all browsers support FIDO2?
Yes. Chrome, Firefox, Edge, and Safari have supported WebAuthn/FIDO2 natively for several years. You don't need to install any additional extensions.
Does FIDO2 completely replace passwords?
It can. When a service implements FIDO2 as a complete login method (not just as an additional second factor), you can log in without typing any password — just with your key or your biometrics. Many services still only offer it as additional 2FA on top of passwords.
Verdict
FIDO2 is not a technical fad — it's the real change in how we authenticate
Unlike passwords or SMS codes, FIDO2 eliminates the secret data that travels over the internet. There's nothing an attacker can steal from a server or intercept in transit that would help them get into your account.
Understanding the protocol isn't required to use it — but it helps you understand why a YubiKey is an investment in real security, not just another gadget.
YOU MIGHT BE INTERESTED IN
Which YubiKey to buy based on your device? Complete guide 2026
