FIDO and passkeys explained: How secure authentication works without a password

The end of the passwords?

Phishing attacks, data leaks, and compromised access data like passwords are not only the weakest but also a very costly aspect of IT security. Yet, they still dominate the daily operations of many companies. Why? Because passwords are easy to implement and everyone knows how to use them, even if they are not very practical or secure.

With FIDO (Fast Identity Online) and passkeys, a standard now exists that not only rethinks security but also greatly improves user-friendliness. In this article, we explain why FIDO-based authentication is essential for a modern access management strategy and how companies can effectively adopt FIDO with Pointsharp.

What is FIDO?

FIDO (Fast Identity Online) is an open authentication standard developed by the FIDO Alliance, a group of leading technology companies including Google, Microsoft, Apple, Yubico, Samsung, and others. They work together to achieve a common goal: making digital authentication secure, compatible, and easy to use.

The fundamental principles of FIDO

No more passwords: Instead of remembering something, users rely on a physical security key or biometric features like fingerprints or facial recognition. A fingerprint or security key by itself is not the actual passkey, though, just the key that unlocks the passkey lock.
Secure through technology: FIDO uses modern encryption technology. A secure key pair is generated, with one part stored on the device, or in a digital keychain, and the other with the provider.
Authenticating directly on the device: Identity is verified locally, such as through the smartphone or a hardware token, and is not transmitted over the Internet.
Protection against phishing: Since no sensitive data, such as passwords, is entered or transmitted, phishing attacks are ineffective. In fact, passwords do not even exist in a setup like this.

These principles make FIDO a true alternative to traditional passwords, not just in security but also in user convenience. Instead of remembering or constantly resetting passwords, authentication is easily done with biometric features or security keys. This results in a faster, more secure, and simpler login process for both IT security and user experience.

fido-article-man-computer-bluegrad-right

Experttalks - 17th Sept

Passwordless enterprises: elevate your IT security with FIDO2

Specialists from Pointsharp, Yubico, and The Kernel will show how companies can move towards a secure, passwordless future with FIDO2 and passkeys. Take the opportunity to ask your questions in a live Q&A session and gain practical insights from our experts.

Join now!

fido-article-yubikey-computer-purplegrad-left

FIDO2, U2F, UAF - what does that mean?

FIDO serves as a general term for different protocols.

FIDO U2F (Universal Second Factor): Adds a physical security key to an existing password and enables login using a device like a USB security key (for example, a YubiKey).
FIDO UAF (Universal Authentication Framework): Facilitates biometric and passwordless login, perfect for mobile devices.
FIDO2: The latest version, which includes the Client-to-Authenticator Protocol (CTAP) and the web standard WebAuthn, fully supports passwordless logins.

With FIDO2, you can log in entirely without a password using a fingerprint, face scan, or FIDO token like the YubiKey (FIDO Stick) or a smartphone.

Why FIDO? Advantages for companies at a glance

The introduction of FIDO not only offers technological benefits but also has a measurable impact on costs, security, and user satisfaction.

Lower IT support costs

No more password resets
Significant decrease in helpdesk tickets
Less expensive security keys can replace giving each employee a phone.

Increased security

Protection from phishing, credential stuffing, and brute-force attacks
No passwords are used or stored anywhere, so there are no risks of passwords leaking.

More productivity

Faster login without entering a password
The end of password fatigue, which is especially helpful when connecting to multiple services.
Ideal for hybrid working, works on all devices regardless of location
Easy login using fingerprint or facial recognition, no training needed.

Data protection & compliance

Option for full local authentication, with no personal access data stored in the cloud.
Provides support for regulatory compliance through robust authentication methods without passwords, local data handling, and safeguards against unauthorized access (e.g., GDPR, ISO, NIS2).

fido-article-yubikey-mobile-bluegrad-left

FIDO & Passkeys in practice

What is a FIDO Passkey?

Passkeys are a simplified term for FIDO, and they can be used more or less interchangeably. They utilize a cryptographic key pair: the private key is stored securely on the user's device, while the public key is sent to the application or service. Access is then granted through local authentication, such as fingerprint or facial recognition, quickly, securely, and without a password.

Advantages:

Works on all devices
No phishing is possible as no password is entered

An example: logging into an SAP system with a fingerprint on a smartphone, without a password and without delay.

How does passkey authentication work?

FIDO-based authentication with passkeys employs an asymmetric encryption method involving a key pair.

Registration
Users log in using their registered security key (e.g., a YubiKey) or a device-bound passkey (such as the TPM module in Windows computers or the secure enclave in Macs), usually unlocked through biometrics. A key pair is generated in the process.
1. The private key remains securely on the device, security key, or digital keychain (cannot be exported)
2. The public key is transmitted to the service provider and stored there
Login and authentication
When logging in, the service issues a challenge that is digitally signed locally by the user's device using the private key.
The server then verifies the signature with the stored public key.
Local verification with biometric security
The private key can only be used if the user authenticates locally on the device, such as using biometric features or a PIN. This guarantees that access is given only to an authorized user.
No password required
No password is needed or ever transmitted. This makes the method resistant to phishing, credential theft, and replay attacks.

This architecture prevents

Man-in-the-middle attacks are prevented because the private key stays on the device, and the signature is created locally.
Replay attacks, as a new, unique challenge, are used for each login
Theft of passwords because there are no passwords that could be tapped or guessed

Pointsharp makes passkeys ready for use in everyday corporate life, embedded in a holistic access management strategy:

Conclusion: FIDO is more than a standard; it is the future of authentication.

FIDO and Passkeys are no longer just future concepts; they are ready to use today, secure, user-friendly, and cost-effective. Companies that adopt FIDO-based authentication gain a double advantage: they lower security risks and boost employee satisfaction.

Pointsharp is a partner that not only integrates passkey authentication but also embeds it in a comprehensive access management strategy, covering everything from login to token management, spanning from the cloud to the local server.