FIDO & WebAuthn — phishing-resistant by construction.
FIDO replaces shared-secret passwords with public-key cryptography bound to the relying party origin. The credential lives on the authenticator (smart card, USB key, platform TPM); the server never sees a secret. We ship hardware authenticators, write FIDO applets, and run the validation server backend.
Two specs working together
- WebAuthn — the W3C JavaScript API the browser exposes to your relying-party page (
navigator.credentials.create()and.get()). - CTAP2 — the Client-To-Authenticator Protocol the browser uses to talk to the actual hardware over USB-HID, NFC, or BLE.
On the server side you implement a relying party that issues challenges and verifies signatures — for example our FIDO Validation Server.
The trust chain in five layers
Resident vs non-resident credentials
A non-resident credential is encoded in the credentialId and lives only on the server. A resident (discoverable) credential lives on the authenticator and enables the smoothest UX: username-less, passwordless — you tap or insert and you are in. The OnePass Card stores up to 25 resident credentials.
Attestation and AAGUIDs
An authenticator can prove what it is via an attestation statement — signed by the manufacturer’s root key. Each model has an AAGUID recorded in the FIDO Metadata Service. Consumer apps usually skip attestation (attestationType: 'none'); enterprise apps that require certified hardware verify the attestation against MDS and enforce AAGUID allow-lists.