Where Your AmbiSecure FIDO Key Works

A practical, vendor-neutral overview of the platforms and services that accept FIDO2 / WebAuthn today. The list is large enough that "what works with my key" is the wrong question; "what doesn’t work yet" is the more useful one.

Your AmbiSecure FIDO authenticator implements FIDO2 / WebAuthn. That means it works with any service that supports WebAuthn, which by 2026 is most of the consumer and enterprise SaaS landscape. The summary below is a snapshot to orient new deployments; treat the vendor docs as authoritative.

Major platforms

• Google — Google Account sign-in, Workspace, Google Cloud admin. Full FIDO2 + passkey support.
• Microsoft — Microsoft personal account, Microsoft Entra ID (Azure AD), Windows Hello platform authenticator, Microsoft 365 admin. Full FIDO2 support; passkey rollout in progress.
• Apple — Apple ID, iCloud, sign-in across the Apple ecosystem. Passkey-first; hardware security keys (FIDO2) accepted for AAL3 use cases.
• GitHub — GitHub.com and GitHub Enterprise. FIDO2 + passkey support, including 2FA-required policy.
• Cloudflare — account and Zero Trust. FIDO2 support, mandatory for admin accounts on many plans.
• AWS — IAM Identity Center and root-account 2FA. FIDO2 support including security keys.

Identity providers

• Okta — FIDO2 / WebAuthn factor, including AAGUID-pinning policies on the higher-tier plans.
• Microsoft Entra ID — FIDO2 as Conditional Access factor, with AAGUID allow-list / block-list.
• Ping Identity — FIDO2 in PingID and PingOne.
• Auth0 — WebAuthn support across both passwordless and MFA flows.
• JumpCloud, OneLogin, Duo Security — FIDO2 supported.

Developer platforms & package managers

• npm — 2FA via FIDO2 / passkey.
• PyPI — 2FA via FIDO2 / passkey (mandatory for many maintainers).
• Docker Hub — FIDO2 for org-owner accounts.
• HashiCorp Cloud Platform — FIDO2.
• 1Password, Bitwarden, Dashlane — FIDO2 to unlock the vault and as a stored credential.

Financial services

Coverage is uneven; many banks support FIDO2 indirectly via their mobile-app push or in-app passkey. A growing minority of consumer banks support hardware security keys directly. Treat each institution individually.

Operating-system level

• Windows 11 — FIDO2 security keys can sign in to Windows; Windows Hello is itself a FIDO2 platform authenticator via TPM.
• macOS — FIDO2 USB and NFC keys via browser-mediated WebAuthn; passkeys synced via iCloud Keychain.
• iOS / Android — passkeys native; hardware FIDO2 keys via USB-C or NFC on supported devices.
• Linux (with PAM-U2F) — sudo / login via FIDO2 for system administrators.

Enterprise SaaS — sampling

Workday, Salesforce, ServiceNow, Atlassian Cloud, Notion, Slack, Zoom, Box, Dropbox, Asana — all support FIDO2 either natively or via SSO from a FIDO-capable IdP. The SSO route is the cleaner enterprise deployment: configure FIDO once at the IdP, every SP inherits it.

Where FIDO2 doesn’t work yet

• Long-tail legacy enterprise applications without WebAuthn support. Solve with a FIDO Validation Server behind your SSO.
• Some industry-specific portals (specific government, healthcare, financial systems) still require SMS or TOTP.
• Air-gapped or specialised environments — FIDO works fine but deployment may need on-prem validation infrastructure.

Practical approach

1. Identify your most-used 10 SaaS apps. Verify each supports FIDO2 (almost certainly yes).
2. For SaaS that doesn’t support FIDO2 directly: route via SSO from a FIDO-capable IdP.
3. For internal/legacy applications: deploy a FIDO Validation Server in front of the existing auth layer.
4. Pin AAGUIDs on the IdP to enforce that only your issued authenticators register.
5. Plan recovery (see Designing Secure Credential Lifecycle Management).

Related reading

• How FIDO Authentication Works (high-level overview)
• Implementing FIDO2: A Complete Developer Guide
• Smart Cards vs FIDO Tokens vs Passkeys
• Product: OnePass Card (FIDO authenticator + badge)
• Product: OnePass USB Key
• Service: FIDO Validation Server