FIDO2 is the open authentication standard from the FIDO Alliance, comprising WebAuthn (the W3C web-API specification) and CTAP (Client to Authenticator Protocol). Defines the architecture for phishing-resistant authentication using hardware security keys (YubiKey, Titan, Feitian) or platform-bound credentials (Apple Touch ID, Windows Hello, Android biometric). The cryptographic standard underlying both hardware-key 2FA and the consumer-name “passkeys” architecture.
What it means in practice
The structural property that distinguishes FIDO2 from password-plus-TOTP authentication: the cryptographic credential is bound to the specific service domain. A phishing site at attacker-controlled-domain.com cannot relay a FIDO2 authentication intended for legitimate-bank.com because the browser refuses to perform the FIDO2 operation against the wrong origin. This defeats the entire class of real-time phishing kits (Evilginx2, EvilProxy) that successfully proxy password-plus-TOTP credentials by relaying them to the real service in real time. The hardware-key implementation (YubiKey 5 series, Titan, Feitian) provides the strongest form: the private key never leaves the device, the user must physically touch the key to authorize, and even malware on the host computer cannot exfiltrate the credential. The platform-bound implementation (Touch ID, Windows Hello, Android biometric) provides similar phishing resistance with the credential bound to the platform’s secure storage.
Where it shows up
Supported by: Google, Microsoft, Apple, GitHub, GitLab, AWS, Cloudflare, 1Password, Bitwarden, Proton, Twitter/X, Facebook, dozens of major services by 2026. The 2024-26 trend has been toward universal FIDO2 support across major consumer and enterprise services, with passkey adoption (the consumer-friendly framing of the FIDO2 platform-bound credential) expanding rapidly. The high-target operator population has moved decisively to hardware-key FIDO2 for the keystone accounts (primary email, code repositories, financial, password manager); the broader user population is migrating through the passkey adoption curve. The Predaxia operational position: FIDO2 is the structural answer to credential phishing, the displacement of password-plus-TOTP is happening, and the hardware-key form remains the strongest tier for the small population that justifies the operational cost.
What you can change today
Three actions. First, buy a hardware key (YubiKey 5 NFC for cross-platform desktop and mobile use, around $55) plus a backup key kept in a separate physical location. Second, enroll FIDO2 hardware-key 2FA on the keystone accounts in priority order: primary email, password manager, code repositories, financial, social media that hosts your audience. Each enrollment takes 2-5 minutes and the resulting account is structurally protected against credential phishing. Third, where the service supports passkeys, prefer passkey-via-hardware-key (the YubiKey can hold passkeys directly) over passkey-via-platform-keystore for the keystone accounts; the hardware key is portable across devices and does not depend on the platform-keystore vendor (Apple, Google, Microsoft) holding the credential.
Related articles
- Three breaches in ten days. In two of them, the attacker never wrote a line of code.
- Digital security for journalists in 2026: the complete operational guide.
- 1Password review for journalists. Is it enough for source protection?
- Most journalists are compromised before they know they’re being watched.