FIDO2 (Fast Identity Online 2) is a set of specifications developed by the FIDO Alliance that enables passwordless login using public-key cryptography. Rather than entering a password, you authenticate using a dedicated security key (like a USB dongle or smartphone), which proves your identity to the service you're accessing.
How it works: When you register a FIDO2 key with a service, that service stores your public key. When you log in, your authenticator signs a challenge using its private key (which never leaves the device), and the service verifies the signature matches. The server never sees your private key or a shared secret.
Why this matters: Passwords are vulnerable to phishing, brute force attacks, and data breaches. FIDO2 eliminates these risks because the authenticator only responds to the genuine website you're trying to access, not to phishing lookalikes. Your private key stays on your device and cannot be stolen remotely.
Common gotchas: You need a compatible device or security key (most modern smartphones and laptops support built-in authenticators). If you lose your only FIDO2 key, you may be locked out unless you've registered backup keys. Not all services support FIDO2 yet, though adoption is growing rapidly among banks, email providers, and social media platforms.
For better security, many services let you register multiple FIDO2 keys, so you can use one as a backup. Some keys also cost money, though smartphone-based options are often free.