FIDO — from FIDO 1.0 to passkeys.
The path from FIDO Universal Second Factor to phishing-resistant, hardware-bound, multi-device passkeys — with the standards milestones, deployment shifts, and ecosystem turning points along the way.
FIDO Alliance formed
PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio found the FIDO Alliance to standardise a passwordless second factor.
FIDO 1.0 published (UAF + U2F)
Universal Authentication Framework and Universal Second Factor specifications released. U2F adopted by Google for Gmail; second-factor hardware keys begin to ship.
Google U2F Security Key rollout
Google publishes results showing U2F eliminates phishing of Google accounts among its workforce.
FIDO2 / WebAuthn Level 1 (W3C Candidate Recommendation)
WebAuthn becomes a Web standard; CTAP2.0 defines the authenticator client-to-authenticator protocol. The "FIDO2" brand replaces UAF + U2F.
WebAuthn Level 1 becomes a W3C Recommendation
Major browsers (Chrome, Edge, Firefox, Safari) ship platform support. Hardware keys with FIDO2 attestation become the gold standard for high-assurance enterprise MFA.
CTAP2.1 work begins; biometric authenticators arrive
On-card and on-device biometric verification (BIO-FIDO) starts shipping. PIN-protected resident credentials become viable for consumer-grade products.
WebAuthn Level 2 published
Algorithm agility, residentKey semantics, large-blob extension, and cleaner conditional-UI flows arrive. Foundation for the passkey UX layer.
Passkeys announced (Apple / Google / Microsoft)
Multi-device, synced FIDO credentials — the WWDC22 announcement marks the consumer pivot from hardware-only keys to platform-synced credentials.
CTAP2.1 finalised; FIDO MDS3 production
Discoverable credentials, cred-mgmt, alwaysUv become first-class. The FIDO Metadata Service v3 BLOB becomes the canonical attestation-trust source.
WebAuthn Level 3 working draft
Cross-device authentication (CDA, hybrid-transport), conditional mediation v2, and signal-API to remove orphaned credentials reach working-draft state.
Enterprise migration from password+OTP
Phishing-resistant MFA mandates (OMB M-22-09; NIST SP 800-63-4 draft AAL3 patterns) push enterprise IdPs to ship synced + hardware-key options side by side.
Hardware-bound + synced converge
Validation servers begin recording per-credential provenance (synced vs. attested-hardware-bound) so relying parties can apply policy. AmbiSecure validation server ships per-tenant policy on AAGUID + transport.
Continue exploring.
Building against this evolution?
If your roadmap touches any of these milestones, our engineering team can map the standards posture to a deployable architecture.