A FIDO2 authenticator is a software or hardware component that users interact with to verify their identities using the FIDO2 authentication standard. These authenticators generate passkeys (i.e., cryptographic key pairs) during user enrollment in FIDO2 MFA, protect the generated key details, and sign digital certificates for attestation during authentication. To effectively implement passwordless FIDO2 authentication, organizations must carefully select the right type of FIDO2 authenticator based on their business needs, their workforce's ability to adapt during rollout, and the long-term management requirements of the authenticator.
FIDO2 authenticators are classified into two types: platform authenticators and roaming authenticators.
Platform FIDO2 authenticators, also referred to as built-in, internal, or bound authenticators, are integrated into and inseparable from a user device—typically a laptop, desktop, or smartphone—that serves as the FIDO2 client . This device carrying the platform authenticator has a built-in Trusted Platform Module (TPM), which is often a biometric data collection mechanism such as a fingerprint or facial scanner.
The TPM securely stores the private key generated when the user enrolls in FIDO2 MFA. During authentication, the TPM shares the key with the service requesting the user's identity. When the device has no provision for biometric data collection, other identity verification methods, such as PINs, can be used. However, biometric authentication is more secure than traditional PIN-based authentication.
Roaming FIDO2 authenticators, also referred to as cross-platform or external authenticators, are devices that are separate from the FIDO2 client device (i.e., they are not built into the same platform or OS as the FIDO2 client device). Using near-field communication (NFC), USB, or Bluetooth, a roaming authenticator connects with the client device to present the user's identity claims to it. These authenticators store the cryptographic key details required for FIDO2 authentication, allowing users to carry their credentials and authenticate across multiple client devices.
Choosing between platform and roaming FIDO2 authenticators depends on your organization's needs. If your organization primarily has a stable workforce using consistent devices, then platform FIDO2 authenticators will suit you better. These platform authenticators are beneficial because they require no additional hardware, provide seamless integrations, and are convenient for users. Since they don't require additional hardware, they are also cost-effective to implement. The only drawback of platform authenticators is that they are confined to the device they are built into and thus are not user-friendly for users who switch devices frequently.
If your employees work in diverse settings or need flexibility across devices, roaming authenticators are likely the better choice. Roaming authenticators are portable, independent of devices, and have robust security features. Two drawbacks of roaming authenticators are that users must carry them securely and that they cost more because you need to purchase external devices.
ADSelfService Plus, an identity security solution with MFA, SSO, and password management capabilities, supports passwordless, phishing-resistant FIDO2 authentication to secure access to cloud applications, Outlook on the web logins, and more. It uses the WebAuthn API to provide secure, customizable FIDO2 authentication, supporting both platform and roaming authenticators:
FIDO2 is one of three protocols established by the Fast Identity Online (FIDO) Alliance for span authentication in web and non-web applications. The other two are Universal 2nd Factor (U2F) and Universal Authentication Framework (UAF). While all three use a common public-key-based framework, each is tailored to different use cases and user experiences.
Yes, FIDO2 eliminates passwords and authenticates users with stronger identity verification methods, such as biometrics and security keys. It employs public-key cryptography and authenticates users with the help of passkeys in the back end.
To learn more about the differences between passkeys and passwords, click here.
Yes, passkeys work using the FIDO2 authentication standard. To understand what passkeys are and how they work, click here.
FIDO2 supports the registration of multiple keys for a single account. While the standard itself doesn’t impose a strict limit, the number of keys you can register may depend on the platform or service. Typically, you can have several keys, like a hardware key, a biometric authenticator, and a backup key, to provide redundancy and convenience.
FIDO2 MFA in ADSelfService Plus allows users to enroll in up to three FIDO2 credentials for authentication.
A smartphone can function as both a platform and a roaming FIDO2 authenticator, depending on how it is used:
