Fast Identity Online

An open standard for passwordless authentication.

The latest version of FIDO (FIDO2) relies on WebAuthentication (WebAuthn) and Client to Authenticator Protocol 2 (CTAP2) to enable user website, application and/or service login without the use of traditional passwords. Instead of normal passwords, users register a MFA device (like a mobile device or a hardware key) to associate with. An asymmetrically encrypted keypair is generated, where the private key stays on the MFA device, and the public key stays with the service the user is registering with. Upon login, a challenge is sent to the user, where then they have to either insert their security key or enter their credentials on their MFA device, whether that be a PIN, password (ironically) or ideally biometric keys.

Using FIDO mitigates many threats, like phishing, man-in-the-middle attacks, and account hijacking. It's also better UX, since the user doesn't have to deal with remembering, changing, or recovering their passwords.