Request demo
Request demo
Request demo

What Are FIDO2 Security Keys and How Do They Work?

Online accounts are often attacked by phishing, stolen passwords, and fake login pages. Many users lose access to their personal or work data because someone else guesses or steals their password. Even two-factor codes sent by message or email can be tricked or copied. These problems show that passwords are not a safe way to protect important information.

FIDO2 security keys offer a better method through passwordless authentication. This means users can log in without typing any password at all. Instead, the login works by using public key cryptography and verifying the real user through a secure device. This stops attackers from using stolen passwords or fake websites. 

This article explains what a FIDO2 security key is, how it works, and how it enables secure, passwordless authentication using public key cryptography.

What is a FIDO2 Security Key?

A FIDO2 security key is a physical device used for secure online login. It uses public key cryptography to prove your identity to a website or service without sending any passwords. The key is part of the FIDO2 standard, which is made up of WebAuthn and CTAP. These standards allow browsers, websites, and devices to work together for strong authentication.

When you register on a website using a FIDO2 key, a unique key pair is created. The private key stays safely inside your device, while the public key goes to the website. 

Later, during login, the device uses the private key to respond to a challenge from the website. This response proves that you are the real user without needing to type a password.

Types of FIDO2 Authenticators

1. Roaming Authenticators 

Roaming authenticators are external devices that you can carry and use on different computers or phones. They connect to devices through USB, NFC, or Bluetooth. These authenticators store your private keys and allow you to log in by touching the device or using a fingerprint.

These authenticators are helpful when users move between devices or work in shared environments. The same key can be used across multiple platforms, but it still creates a separate key pair for each website. This keeps the login process secure and separate for every service.

2. Platform Authenticators 

Platform authenticators are built into your computer or phone. They include features like fingerprint readers, facial recognition, or secure hardware chips. These authenticators stay inside one device and cannot be moved between devices.

When using a platform authenticator, the private key never leaves the device. The login works when the user proves their identity through a built-in method, like touching a fingerprint sensor. This keeps the authentication tied to that specific device and user.

Key Benefits of FIDO2 Security Key

1. Protection Against Phishing and Replay Attacks

FIDO2 security keys protect against phishing by making sure that the login only works on the real website, not on fake ones. When you use the key, it checks the website’s identity before allowing access. This also blocks replay attacks because the login uses a new cryptographic challenge every time, so stolen data cannot be reused.

2. Passwordless and Fast Authentication

FIDO2 lets users log in without typing a password. Instead, the key sends a cryptographic response after user verification, like touching the device or using a fingerprint. This process is faster than entering usernames and passwords and removes the risk of password theft.

3. Device-Specific Cryptographic Verification

Each FIDO2 key generates a unique key pair for every website. The private key stays only on the user’s device and is never shared. This means that even if someone steals data from a website, they cannot use it without access to the original device.

4. Privacy-Preserving (No tracking or shared secrets)

FIDO2 does not link your accounts or track your activity across websites. Each registration creates a different key pair, and no shared secrets, like passwords, are sent to the server. This keeps your identity and usage private while still verifying you correctly.

How Do FIDO2 Security Keys Work

1. Registration: Generating a Unique Key Pair

The registration process starts when a user connects the FIDO2 security key to a device and begins account setup on a supported website. During this step, the device creates a key pair. This includes a public key and a private key. 

The public key is sent to the website and stored with the user’s account. The private key stays safely inside the FIDO2 security key and is never shared.

The device may also ask for user verification during registration. This could be touching the key, entering a PIN, or using a fingerprint. Once registration is complete, the website can use the stored public key to verify future logins. Each website gets a different key pair, so accounts stay separate and secure.

2. Authentication: Proving Identity with Private Key

When the user tries to log in later, the website sends a challenge to the user’s browser. This challenge is a random message that needs to be signed by the private key. The FIDO2 security key signs this challenge only if the correct user action is taken. This action could be a tap, a fingerprint, or a PIN.

Once the private key signs the challenge, the result is sent back to the website. The website uses the stored public key to check if the signature is valid. 

If it matches, the login is approved. This process proves that the person logging in has the original security key and is the right user, all without using a password.

3. Public-Key Infrastructure (PKI) in the Background

The core of FIDO2 authentication is public key cryptography, which follows the rules of Public Key Infrastructure. In this setup, the private key is used to sign data, and the public key is used to check that signature. This makes sure the response is real and has not been changed.

Unlike traditional PKI systems, FIDO2 does not need certificates from a central authority. Instead, it uses key pairs that are tied to the origin of each website. This design reduces the chance of stolen credentials and keeps each login session unique and safe. The private key never leaves the user’s device, which adds another layer of protection.

4. Role of Client (Browser) and Server

The client is the device and browser that the user interacts with. When the user starts the login process, the browser talks to the FIDO2 security key through a standard called CTAP. The browser also uses WebAuthn to send and receive messages from the website. The browser acts as a bridge between the security key and the server.

The server belongs to the website the user is trying to access. It holds the public key that was saved during registration. When the server sends a challenge to the client, it expects a signed response. 

The client helps prepare that response using the security key and sends it back to the server. The server checks the response using the stored public key and approves the login if it is correct.

5. Use of Cryptographic Challenge-Response

FIDO2 uses a cryptographic challenge-response to make sure the login is real. A challenge is a random message that the server creates and sends to the user’s device. This challenge changes every time and prevents someone from reusing old data.

The FIDO2 key signs this challenge using the private key stored inside it. The signed response is sent back to the server. The server checks the signature using the stored public key. If the check passes, it means the user has the correct private key and has completed any needed verification. This method proves the user’s identity without sharing any secrets.

6. Biometric or Tap-Based User Verification

FIDO2 security keys may require user verification to prove that the right person is using the key. This step can involve tapping the key, entering a PIN, or using a fingerprint sensor. The key will not sign the challenge unless this step is completed.

Biometric verification means using a body trait like a fingerprint or face. The security key checks this data on the device and does not send it anywhere. This keeps the process private. If the user passes the check, the key signs the challenge. This step confirms that the action came from the real user.

Take the Next Step with FIDO2 Security Keys Using SSH Enterprise Solutions

FIDO2 security keys are a strong foundation for passwordless authentication, protecting against phishing and credential misuse. However, in large environments, managing who has access to what, when, and how requires more than just hardware tokens. 

SSH solutions build on the power of FIDO2 by enabling centralized access control, eliminating static credentials, and supporting just-in-time access through Zero Trust models. Whether you are securing IT, OT, or hybrid cloud systems, SSH provides the tools to scale passwordless authentication with strong governance and visibility.

Get a demo or trial of any SSH solution to see how FIDO2 fits into a complete secure access strategy.

FAQ

What is a FIDO2 security key?

A FIDO2 security key is a small physical device used for secure, passwordless login. It uses public key cryptography to prove your identity.

How does a FIDO2 security key work?

It creates a unique key pair during registration and signs login challenges using the private key. The server checks this with the stored public key.

What are the benefits of using a FIDO2 security key?

It protects against phishing, removes passwords, and keeps login data private. It works only on the real website you registered for.

How do I set up a FIDO2 security key?

You plug in the key or tap it on your device, then follow the website’s setup steps. It creates a key pair and links the device to your account.

What should I do if I lose my FIDO2 security key?

Use your backup login method if available, or contact the service to recover access. Always keep a backup key or recovery option ready.

SSH is a leading defensive cybersecurity company that secures communications between humans, systems, and networks. We specialize in Zero Trust Privileged Access Controls and Quantum Safe Network Security. Our customers include a diverse range of enterprises, from multiple Fortune 500 companies to SMBs across various sectors such as Finance, Retail, Technology, Industrial, Healthcare, and Government. 25% of Fortune 100 companies rely on SSH’s solutions. Recent strategic focus has expanded SSH business to Defence, Critical Infrastructure Operators, Manufacturing OT Security and Public Safety.

Leonardo S.p.A invests 20.0 million EUR in SSH, becoming the largest shareholder of the company. SSH solutions form a Center of Excellence for Zero Trust privileged access management and quantum-safe network encryption in Leonardo - a global industrial group that creates multi-domain technological capabilities in the Aerospace, Defence and Security sector with 17.8 billion EUR revenue in 2024. SSH company’s shares (SSH1V) are listed on Nasdaq Helsinki.

 

Stay on top of the latest in cybersecurity

Be the first to know about SSH’s new solutions, product updates, new features, and other SSH news!

Thanks for submitting the form.

© Copyright SSH • 2025 • Legal