Introduction

As phishing attacks and credential breaches continue to threaten digital infrastructure, more organizations are turning to FIDO2 authentication using security keys to enhance login security. Unlike traditional methods that rely on shared secrets (e.g., passwords or OTPs), FIDO2 uses public key cryptography with hardware-backed credentials to provide strong, phishing-resistant authentication.

This post guides you through implementing FIDO2 authentication using hardware security keys in enterprise applications. We’ll explore the underlying concepts, implementation techniques, and integration strategies with identity providers like ForgeRock and Azure AD.

What Are FIDO2 Security Keys?

A security key is a physical device (USB, NFC, Bluetooth) that acts as a cryptographic authenticator for verifying identity. Popular models include YubiKey, Feitian, and SoloKey. These devices comply with the FIDO2 standard, which consists of:

  • WebAuthn (Web Authentication API) — The client-side API exposed in browsers.
  • CTAP2 (Client to Authenticator Protocol) — The protocol used to communicate with external authenticators.

FIDO2 ensures that private keys never leave the device, and authentication is performed only upon a user gesture like touching the device—providing excellent protection against phishing and replay attacks.

FIDO2 Authentication Workflow (with Security Keys)

Here’s a high-level flow of FIDO2 authentication using a hardware security key:


\[ User ] ---> Initiates Login/Register
|
v
\[ Browser ] <---\[WebAuthn API]---> \[Security Key (CTAP2)]
|
v
\[ Application Server ] <--- Sends Challenge & Verifies Assertion
|
v
\[ Identity Provider / DB ] --- Stores/Retrieves Credential Data

This zero-knowledge model ensures credentials are domain-specific, cryptographically signed, and bound to user-controlled hardware.

Implementing Security Key Registration (WebAuthn)

Step 1: Create Registration Challenge

The server generates a PublicKeyCredentialCreationOptions structure and sends it to the browser.

Node.js example:

const options = generateRegistrationOptions({
  rpName: "Example Enterprise",
  userID: user.id,
  userName: user.email,
  attestationType: "none",
});
res.json(options);

Step 2: Call WebAuthn API in Browser

const credential = await navigator.credentials.create({ publicKey: options });
await fetch('/register/verify', {
  method: 'POST',
  body: JSON.stringify(credential),
});

Step 3: Verify and Store Credential

const { verified, registrationInfo } = verifyRegistrationResponse({
  credential: clientData,
  expectedChallenge: challenge,
  expectedOrigin: "https://your-enterprise.com",
});
if (verified) storeCredential(user.id, registrationInfo);

Implementing FIDO2 Login

The process is similar to registration but uses navigator.credentials.get().

Server Sends Authentication Challenge

const options = generateAuthenticationOptions({
  allowCredentials: getUserCredentialIDs(user.id),
});
res.json(options);

Client Signs with Security Key

const assertion = await navigator.credentials.get({ publicKey: options });
await fetch('/login/verify', {
  method: 'POST',
  body: JSON.stringify(assertion),
});

Server Verifies Assertion

const result = verifyAuthenticationResponse({
  credential: assertion,
  expectedChallenge: challenge,
  expectedOrigin: "https://your-enterprise.com",
  expectedRPID: "your-enterprise.com",
});
if (result.verified) loginUser(user.id);

Integrating with Enterprise Identity Providers

ForgeRock Identity Cloud

ForgeRock supports WebAuthn via configurable authentication trees:

  1. Add WebAuthn Registration Node and Authentication Node in your journey.
  2. Enable "cross-platform" authenticators (for security keys).
  3. Assign authentication trees to specific users or journeys (e.g., contractors or admins).
  4. Use the platform’s scripting support to customize credential storage or recovery fallback.

Azure AD + Conditional Access

Microsoft Entra ID (formerly Azure AD) supports FIDO2 security key sign-in:

  • Admins can enable key-based login for hybrid or cloud-only users.
  • Devices like YubiKey can be registered in MySecurityInfo.
  • Conditional Access policies can enforce key use for high-risk apps.

Advantages of Security Key-Based Authentication

  • Phishing-resistant: Authentication requires physical presence.
  • No shared secrets: No passwords stored or sent across the wire.
  • Fast and seamless UX: Login is typically one tap or button press.
  • Enterprise ready: Supported by major IdPs and SSO platforms.

Security Considerations

  • Enforce backup methods or multiple security keys per user.
  • Use origin checks and TLS to prevent man-in-the-middle attacks.
  • Plan for key recovery processes (e.g., re-enrollment, backup MFA).

Conclusion

Security keys with FIDO2 support offer an unparalleled level of protection against modern identity attacks. By implementing WebAuthn in your application and integrating with IdPs like ForgeRock or Azure AD, you can build scalable passwordless login experiences for your workforce, partners, or customers.

Whether you’re in finance, healthcare, or government—hardware-backed authentication is the gold standard.

Additional Resources