What is FIDO2?
FIDO (Fast Identity Online) is the umbrella term for FIDO Alliance's newest set of specifications.
Passkeys – based on FIDO2 technology - enable users to authenticate quickly and securely to online services without using password anymore.
Passkeys & FIDO2 authentication is the industry's future proof solution to the global password challenge and addresses all the concerns of traditional authentication, by providing phishing-resistant authentication combined with enhanced user experience in both desktop and mobile environments.
Why should organizations consider FIDO?
Convenient
FIDO2 is a passwordless authentication method so users don’t need to remember their passwords. To facilitate user adoption, you can combine it with biometrics such as fingerprints.
Phishing-resistant
Leveraging asymmetric public key cryptography, FIDO2 protects against phishing attacks because each private key is bound to a service domain. If the accessed service is fake, authentication fails.
Prevent attacks
FIDO2 security key protects against man-in-the-middle (MiTM) attacks because each private key is stored securely in the hardware device.
Future-proof
Modern web applications support FIDO2. Cybersecurity agencies and analysts rank FIDO2 security key as the “gold” technology to invest in (NIST, ENISA, CSA, Gartner...).
Authenticate anywhere
Various form factors such as smart cards and USB tokens, with contactless option, allow users to authenticate from their mobile devices or from shared desktops.
Easy to deploy
Based on open standard, FIDO2 simplifies systems compatibility. It removes password-related help desk costs and lower IT overheads (no separate infrastructure required).
Top initial attack vectors for data breaches
49 %
Stolen or compromised credentials
16 %
Phishing
To reduce the risk of identity theft and security breaches when connecting to sensitive digital resources such as Windows sessions and web applications, Thales recommends organizations to enable passwordless, phishing-resistant Multi-Factor Authentication for their high-privileged users, frontline workers, and users in general, using passkeys bound to hardware security keys.
The Comprehensive Guide on Phishing-Resistant MFA, Passkeys and FIDO security keys
FIDO2 combining with PKI authentication offers future-ready solutions for vendors to implement passwordless authentication & safeguard access to cloud-based apps.
Thales FIDO2 Security Keys benefits
Thales multi-factor authentication devices use current and emerging protocols to support multiple applications at the same time. Use one security key that combines FIDO2, WebAuthn, U2F, and PKI to access both physical spaces and logical resources.
Best in class security
Thales controls the entire manufacturing cycle and develops its own FIDO crypto libraries, which reduces the risk of being compromised.
Support for multiple use cases
- Combine FIDO, PKI and physical access in a single device
- Experience a strong authentication from mobile endpoints
User convenience for better adoption
- Support for biometric (fingerprint on smart card)
- Sensitive presence detector on USB FIDO key
Compliant with high security market standards
- U2F and FIDO2 certified
- Compliant with US and EU regulations for phishing-resistant authentication
- Manufacturing in Europe and Trade Agreement Act (TAA) compliancy in option
- FIPS and CC certified for PKI operations
Robustness & Scalability for a long-life duration
- Hard molded plastic, tamper evident USB FIDO keys
- No damage to USB ports thanks to sensitive presence detector
- Support for firmware updates for better maintenance and upgradability
Enterprise FIDO Ready
- Comply with FIDO2.1 specifications
- Benefit from Thales FIDO Enterprise features
- Use SafeNet FIDO key Manager for free
Find the right FIDO2 security key that fits your needs
Thales supports numerous passwordless authentication journeys with a wide range of FIDO authenticators.
FIDO USB Tokens
Secure access to web applications and devices using FIDO
SafeNet eToken FIDO series
- Ideal solution for organizations to go passwordless
- Compact, tamper-evident USB tokens, available in type A and C
- Presence detection sensor to confirm human presence
- Ideal for privilege users, frontline and temporary workers
- Quick access for employees to any shared device such as PC or tablet
FIDO + Biometric
Simplify user adoption.
SafeNet IDPrime FIDO Bio Smart Card
Combining biometrics and NFC, the innovative SafeNet IDPrime FIDO Bio Smart Card allows end users to authenticate from multiple types of devices securely and easily, with just a fingerprint instead of a password.
FIDO + PKI Smart Cards
Extend modern FIDO authentication to PKI use cases.
SafeNet IDPrime FIDO Smart Cards series
- New generation of PKI smart cards
- Facilitates cloud migration and authentication modernization
- Support FIDO and PKI use cases: authentication, digital signature, and file encryption
- One single badge for securing access to legacy apps, network domains and cloud services
- Use on multiple devices from desktops to tablets thanks to NFC
- Help organizations to meet their market regulations
FIDO + PKI USB Tokens
Extend modern FIDO authentication to PKI use cases.
SafeNet eToken Fusion Series
- New generation of PKI USB Tokens
- Facilitates cloud migration and authentication modernization
- Support FIDO and PKI use cases: authentication, digital signature, and file encryption
- One single token for securing access to legacy apps, network domains and cloud services
- Use on multiple devices from desktops to tablets thanks to NFC option
- Help organizations to meet their market regulations
- “Enterprise FIDO ready” in option to help organizations control their life cycle
FIDO + physical access
Combine digital access with physical access.
Thales offers organizations smart cards combining physical access with digital PKI/FIDO authentication. Converged Badge is an ideal solution for organizations who need to protect access to secure areas and sensitive digital resources. Cost of badge deployment and fleet management are significantly reduced and the adoption by employees is facilitated.
Manage FIDO Keys
Control your FIDO keys’ life cycle thanks to Thales FIDO Enterprise Features.
Thales FIDO enterprise features allow organizations to manage their FIDO keys securely and easily throughout their life cycle. They add an administration layer and configuration policies to help IT teams deploy, administer, and support the end user. Beyond the FIDO Alliance FIDO2.1 specifications, Thales FIDO enterprise features offer organizations:
- Better security - enforcing user verification during authentication from any device, managing the minimum PIN length and protecting the PIN policy set, preventing data in fido keys from malicious or non-intentional deletion
- Appropriate usage of organization assets - limiting the usage of the FIDO authenticators to a list of preferred services
- Reduced IT costs & better User Experience - unblocking the FIDO key without resetting all key data, allowing end users to set and change their PIN code in self-service
Learn more about Thales FIDO enterprise Features supported by SafeNet FIDO Key manager and Versasec Credential Management System.
Secure access to Microsoft 365 and Windows devices
Thales and Microsoft partner to provide Microsoft 365 customers with FIDO and certificates-based authentication (CBA).
With the Entra ID, Microsoft customers can use Thales X.509 certificate-based Tokens, Smart cards, and FIDO authenticators for all their identity protection needs.
All the Thales FIDO security keys (tokens or smart cards) are fully compatible and integrated with Microsoft Entra ID.
For more information about Thales FIDO2 Security Keys for Microsoft Environments, watch the Video Demo, read our Solution Brief and download the Installation Guide. Check our offer on Azure Marketplace.
Partner with an Identity Trailblazer
Awarded 2024 Identity Trailblazer by Microsoft Security, Thales is the sole vendor offering USB-C and USB-A FIDO security keys with Microsoft Security logo on one side. They are ideal for protecting cloud services and windows logon.
Recommended resources
It is a USB or smart card companion device that you can use to securely access sensitive online services without using a password. It uses the FIDO2 (Fast identity Online) standard developed by the FIDO Alliance.
The FIDO (Fast identity Online) protocol requires a “user gesture” (touch or tap the token) and/or a user verification (via a PIN or biometric) before the private key can be used to sign a response to an authentication challenge.
To access an online service, you just need to follow the online guideline displayed on the user interface: when requested, plug the token into the USB port of your device touch the sensitive sensor to confirm your presence, enter your PIn and you are logged in. Alternatively, if you use contactless and biometric token such as the SafeNet FIDO Bio Smart Card, you just tap the card on your device while putting your finger on the biometric sensor and you are in!
In FIDO2, passkeys are password replacements that provide faster, more accessible, and more secure sign-ins to websites and apps. They are resistant to phishing and credential stuffing, and designed so that there are no shared secrets.
There are two types of passkeys: synced passkeys (can be exported via a cloud service to another device) and device-bound passkeys (stored in a single device and cannot be copied). FIDO2 security keys/ tokens are device-bound passkeys.
Yes, FIDO2 tokens can be used with any mobile device, but depending on the connector of the token (USB-C or USB-A), the user may need to use an adaptor. If the token and the device are compatible with NFC, the user can also use the NFC capability directly by tapping the token to the back of its mobile device.
The Thales FIDO2 token is ready to use and requires no software or driver installation. You can set up your FIDO2 token by registering it to an online service. Set-up instructions may differ from one service provider to another, so follow the instructions displayed on the user interface. Generally, the service provider asks you to define your login name, a PIN code and put a name to the registered FIDO2 Token. Alternatively, you can use SafeNet FIDO Key Manager to set up and change the PIN of your Thales FIDO2 Token.
To learn more about this topic consult our dedicated section
FIDO2 tokens are compatible with all online services that support the FIDO2 standard.
You can look at our page of FIDO compatible services for more information.
There are different benefits of using FIDO2 passkeys over traditional passwords:
- Security: unique login credentials across every website which are never stored on a server, eliminating the risk of phishing and other forms of attacks.
- User experience: user login with simple built-in methods on the device or by leveraging easy-to-use FIDO2 security keys.
- Privacy: unique keys for each internet site that cannot be used to track users across sites. Biometric data, when used, never leaves the user’s device.
- Scalability: enable FIDO2 through simple API calls supported across all leading browsers and platforms.
Based on cryptography, FIDO2 authentication is recognized by cybersecurity agencies around the world as one of the most secure authentication methods. A FIDO2 hardware token is resistant to phishing and Man-in-the Middle Attacks.
FIDO and CBA are the 2 authentication protocols recognized as phishing-resistant by cybersecurity regulation bodies such as NIST, ENISA, ANSSI and Dutch cybersecurity agency NCSC ( National Cybersecurity Center).
Based on asymmetric public key cryptography, the FIDO2 security key (USB token or smart card) prevents from phishing because each private key is bound to the domain of the service provider. If the domain is fake, the authentication fails. In addition, all private keys are stored locally and securely in the FIDO2 key which prevent form Man-In-The-Middle attacks.
Yes, the FIDO2 tokens embrace the protection of personal data based on public key cryptography. FIDO2 meets the requirements of the US administration and the EU security agencies for strong MFA. Hardware FIDO security keys are evaluated AAL3 by NIST (Assurance Level 3 , the highest level of Assurance in Authentication according to NIST).
