What is FIDO2?

FIDO (Fast Identity Online) is the umbrella term for FIDO Alliance’s newest set of specifications. Passkeys – based on FIDO2 technology – enable users to authenticate quickly and securely to online services without using password anymore.

Passkeys & FIDO2 authentication is the industry’s future proof solution to the global password challenge and addresses all the concerns of traditional authentication, by providing phishing-resistant authentication combined with enhanced user experience in both desktop and mobile environments.

Why should Federal agencies consider FIDO?

Convenient

FIDO2 is a passwordless authentication method so users don’t need to remember their passwords. To facilitate user adoption, you can combine it with biometrics such as fingerprints.

Phishing-resistant

Leveraging asymmetric public key cryptography, FIDO2 protects against phishing attacks because each private key is bound to a service domain. If the accessed service is fake, authentication fails.

Prevent attacks

FIDO2 security key protects against man-in-the-middle (MiTM) attacks because each private key is stored securely in the hardware device.

Future-proof

Modern web applications support FIDO2. Cybersecurity agencies and analysts rank FIDO2 security key as the “gold” technology to invest in (NIST, ENISA, CSA, Gartner…).

Authenticate anywhere

Various form factors such as smart cards and USB tokens, with contactless option, allow users to authenticate from their mobile devices or from shared desktops.

Easy to deploy

Based on open standard, FIDO2 simplifies systems compatibility. It removes password-related help desk costs and lower IT overheads (no separate infrastructure required).

eBook: The Comprehensive Guide on Phishing-Resistant MFA, Passkeys and FIDO security keys.

Phishing-resistant MFA is multi-factor authentication immune from attempts to compromise or subvert the authentication process, commonly achieved through phishing attacks such as MFA fatigue. Phishing resistance within an authentication mechanism is achieved by requiring each party to provide proof of their identity and intent through deliberate action.

Download this eBook to learn more about phishing-resistant MFA and how to apply the following four-step approach to comply with  phishing-resistant MFA requirements.

Download Now

FIDO2 Device Benefits

Thales multi-factor authentication devices use current and emerging protocols to support multiple applications at the same time. Use one security key that combines FIDO2, WebAuthn, U2F, and PKI to access both physical spaces and logical resources.

Best in class security

  • Thales controls the entire manufacturing cycle and develops its own FIDO crypto libraries, which reduces the risk of being compromised.

Support for multiple use cases

  • Combine FIDO, PKI and physical access in a single device
  • Experience a strong authentication from mobile endpoints

User convenience for better adoption

  • Support for biometric (fingerprint on smart card)
  • Sensitive presence detector on USB FIDO key

Compliant with high security market standards

  • U2F and FIDO2 certified
  • Compliant with US and EU regulations for phishing-resistant authentication
  • Manufacturing in Europe and Trade Agreement Act (TAA) compliancy in option
  • FIPS and CC certified for PKI operations

Robustness & Scalability for a long-life duration

  • Hard molded plastic, tamper evident USB FIDO keys
  • No damage to USB ports thanks to sensitive presence detector
  • Support for firmware updates for better maintenance and upgradability

Enterprise FIDO-ready

  • Comply with FIDO2.1 specifications
  • Benefit from Thales FIDO Enterprise features
  • Use SafeNet FIDO key Manager for free

Thales FIDO Authentication Solutions

Enterprise Edition

Thales Enterprise Edition FIDO2 Security Keys

Discover our Thales enterprise edition tokens, with our unique Thales features, build to be deploy at large scale within your agency.

Take the control of your key life cycle

  • FIDO enterprise ready.
  • Improve your security policy by controlling the FIDO keys life cycle.
  • Improve End User Experience with the option to preregister the key on his behalf or unblock the key without having the reset all data.

Thales Enterprise Features

  • Manage FIDO Keys
  • Ensure appropriate usage of FIDO Keys
  • Unblock FIDO Keys
  • Manage Reset
  • Ensure Persistent PIN Length
  • Enforce user verification
Learn More

FIDO USB Tokens

Secure access to web applications and devices using FIDO with SafeNet eToken FIDO series

  • Ideal solution for organizations to go passwordless
  • Compact, tamper-evident USB tokens, available in type A and C (TAA-Compliant), and NFC
  • Presence detection sensor to confirm human presence
  • Ideal for privilege users, frontline and temporary workers
  • Quick access for employees to any shared device such as PC or tablet

FIDO + PKI + Biometric

SafeNet IDPrime FIDO Bio Smart Card

Combining biometrics and NFC, the innovative SafeNet IDPrime FIDO Bio Smart Card allows end users to authenticate from multiple types of devices securely and easily, with just a fingerprint instead of a password.

SafeNet eToken Fusion Bio – Authenticate to your data with your fingerprint

By combining biometric fingerprint verification, FIDO2, and PIN-based PKI support in a single device, it brings phishing-resistant, passwordless authentication to life without disrupting users. A simple fingerprint replaces passwords and codes, strengthening identity security while accelerating user adoption of phishing-resistant MFA across the organization.

Learn More

FIDO + PKI Smart Cards

Extend modern FIDO authentication to PKI use cases with SafeNet IDPrime FIDO Smart Cards series

  • New generation of PKI smart cards
  • Facilitates cloud migration and authentication modernization
  • Support FIDO and PKI use cases: authentication, digital signature, and file encryption
  • One single badge for securing access to legacy apps, network domains and cloud services
  • Use on multiple devices from desktops to tablets thanks to NFC
  • Help organizations to meet their market regulations

Fusion Series (FIDO + PKI USB Tokens)

Extend modern FIDO authentication to PKI use cases with SafeNet eToken Fusion Series.

  • New generation of PKI USB Tokens
  • Facilitates cloud migration and authentication modernization
  • Support FIDO and PKI use cases: authentication, digital signature, and file encryption
  • One single token for securing access to legacy apps, network domains and cloud services
  • Use on multiple devices from desktops to tablets thanks to NFC option
  • Help organizations to meet their market regulations
  • “Enterprise FIDO ready” in option to help organizations control their life cycle
Learn More

FIDO + Physical Access

Combine digital access with physical access.

Thales offers organizations smart cards combining physical access with digital PKI/FIDO authentication. Converged Badge is an ideal solution for organizations who need to protect access to secure areas and sensitive digital resources. Cost of badge deployment and fleet management are significantly reduced and the adoption by employees is facilitated.

Manage FIDO Keys

Control your FIDO keys’ life cycle thanks to Thales FIDO Enterprise Features.

Thales FIDO enterprise features allow organizations to manage their FIDO keys securely and easily throughout their life cycle. They add an administration layer and configuration policies to help IT teams deploy, administer, and support the end user. Beyond the FIDO Alliance FIDO2.1 specifications, Thales FIDO enterprise features offer organizations:

  • Better security – enforcing user verification during authentication from any device, managing the minimum PIN length and protecting the PIN policy set, preventing data in fido keys from malicious or non-intentional deletion
  • Appropriate usage of organization assets – limiting the usage of the FIDO authenticators to a list of preferred services
    • Reduced IT costs & better User Experience – unblocking the FIDO key without resetting all key data, allowing end users to set and change their PIN code in self-service

    Learn more about Thales FIDO Enterprise Features supported by SafeNet FIDO Key managerVersasec Credential Management System and OneWelcome FIDO Key Lifecycle Management Solution.

  • Reduced IT costs & better User Experience – unblocking the FIDO key without resetting all key data, allowing end users to set and change their PIN code in self-service

Enterprise FIDO Management

Thales eToken FIDO Enterprise Functionality (EF) gives agencies a way to centrally manage FIDO issuance and lifecycle.

  • PIN unblock without device reset
  • Token attestation enforcement
  • FIDO application whitelisting
  • Administrator controlled FIDO reset
  • Administrator enterprise management key
    • Retrieve Relying Party (RP) ID list
    • List all credentials for a specific RP
    • Delete and update FIDO credentials
    • Set minimum PIN length
    • Force change PIN
    • Set allowed RP ID list to get MinPin length information
    • Enforce user verification

Meet stringent compliance mandates

Thales FIDO2 security keys, USB Tokens and smart cards let you meet all your regulatory needs. They are FIDO2 and U2F certified. The combined PKI-FIDO keys are compliant with the US Executive Order mandate for phishing-resistant MFA and NIST regulations. They are FIPS 140-2 or Common Criteria (CC) certified.

Resources

ImageTitleLink
CTO Sessions On Demand Webcast: Everything You Need to Know About Phishing-Resistant MFA
CTO Sessions On Demand Webcast: Everything You Need to Know About Phishing-Resistant MFA
Download
CTO Sessions: Best Practices for Phishing-Resistant MFA: FIDO & PKI
CTO Sessions: Best Practices for Phishing-Resistant MFA: FIDO & PKI
Download
eBook: The Comprehensive Guide on Phishing-Resistant MFA, Passkeys and FIDO security keys.
eBook: The Comprehensive Guide on Phishing-Resistant MFA, Passkeys and FIDO security keys.
Download
Product Brief: SafeNet eToken Fusion Bio
Product Brief: SafeNet eToken Fusion Bio
Download
Product Brief: Thales FIDO2 Devices
Product Brief: Thales FIDO2 Devices
Download
Product Brief: Thales Fusion Authenticators
Product Brief: Thales Fusion Authenticators
Download
White Paper: Meeting U.S. Government requirements for phishing-resistant MFA
White Paper: Meeting U.S. Government requirements for phishing-resistant MFA
Download

Frequently Asked Questions

What is a FIDO2 security key?

It is a USB or smart card companion device that you can use to securely access sensitive online services without using a password. It uses the FIDO2 (Fast identity Online) standard developed by the FIDO Alliance.

How do FIDO2 tokens work?

The FIDO (Fast identity Online) protocol requires a “user gesture” (touch or tap the token) and/or a user verification (via a PIN or biometric) before the private key can be used to sign a response to an authentication challenge.

To access an online service, you just need to follow the online guideline displayed on the user interface: when requested, plug the token into the USB port of your device touch the sensitive sensor to confirm your presence, enter your PIN and you are logged in. Alternatively, if you use contactless and biometric token such as the SafeNet FIDO Bio Smart Card, you just tap the card on your device while putting your finger on the biometric sensor and you are in!

What are passkeys in FIDO2?

In FIDO2, passkeys are password replacements that provide faster, more accessible, and more secure sign-ins to websites and apps. They are resistant to phishing and credential stuffing, and designed so that there are no shared secrets.

There are two types of passkeys: synced passkeys (can be exported via a cloud service to another device) and device-bound passkeys (stored in a single device and cannot be copied). FIDO2 security keys/ tokens are device-bound passkeys.

Can FIDO2 tokens be used with mobile devices?

Yes, FIDO2 tokens can be used with any mobile device, but depending on the connector of the token (USB-C or USB-A), the user may need to use an adaptor. If the token and the device are compatible with NFC, the user can also use the NFC capability directly by tapping the token to the back of its mobile device.

How do I set up a FIDO2 token?

The Thales FIDO2 token is ready to use and requires no software or driver installation. You can set up your FIDO2 token by registering it to an online service. Set-up instructions may differ from one service provider to another, so follow the instructions displayed on the user interface. Generally, the service provider asks you to define your login name, a PIN code and put a name to the registered FIDO2 Token. Alternatively, you can use SafeNet FIDO Key Manager to set up and change the PIN of your Thales FIDO2 Token.

To learn more about this topic consult our dedicated section

Are FIDO2 tokens compatible with all online services?

FIDO2 tokens are compatible with all online services that support the FIDO2 standard.

What are the benefits of using FIDO2 passkeys over traditional passwords?

There are different benefits of using FIDO2 passkeys over traditional passwords:

  1. Security: unique login credentials across every website which are never stored on a server, eliminating the risk of phishing and other forms of attacks.
  2. User experience: user login with simple built-in methods on the device or by leveraging easy-to-use FIDO2 security keys.
  3. Privacy: unique keys for each internet site that cannot be used to track users across sites. Biometric data, when used, never leaves the user’s device.
  4. Scalability: enable FIDO2 through simple API calls supported across all leading browsers and platforms.

Is FIDO2 authentication phishing-resistant?

Based on cryptography, FIDO2 authentication is recognized by cybersecurity agencies around the world as one of the most secure authentication methods. A FIDO2 hardware token is resistant to phishing and Man-in-the Middle Attacks.

FIDO and CBA are the 2 authentication protocols recognized as phishing-resistant by cybersecurity regulation bodies.

What makes FIDO2 tokens phishing-resistant?

Based on asymmetric public key cryptography, the FIDO2 security key (USB token or smart card) prevents from phishing because each private key is bound to the domain of the service provider. If the domain is fake, the authentication fails. In addition, all private keys are stored locally and securely in the FIDO2 key which prevent form Man-In-The-Middle attacks.

Are FIDO2 tokens compliant with regulatory standards?

Yes, the FIDO2 tokens embrace the protection of personal data based on public key cryptography. FIDO2 meets the requirements of the US administration and the EU security agencies for strong MFA. Hardware FIDO security keys are evaluated AAL3 by NIST (Assurance Level 3 , the highest level of Assurance in Authentication according to NIST).

Get Started with Thales FIDO Keys

Get Samples

Consult FIDO Compatible Services

Read FAQs

Device Setup