# Standards - FIDO2 Passwordless Authentication ## FIDO Standards - **FIDO2 Specification**: https://fidoalliance.org/specifications/ - **WebAuthn Level 2**: W3C Web Authentication API - **CTAP2**: Client to Authenticator Protocol 2.0 ## NIST Standards - **NIST SP 800-63B**: AAL3 - Hardware-based phishing-resistant authenticator - **NIST SP 800-53 Rev 5**: IA-2(6), IA-2(8) Replay-resistant authentication - **NIST SP 800-157**: PIV Derived Credentials ## CISA Guidance - **Phishing-Resistant MFA**: Required for federal agencies under EO 14028 - **OMB M-22-09**: Federal zero trust strategy requiring phishing-resistant MFA ## Vendor Resources - **Yubico FIDO2**: https://www.yubico.com/authentication-standards/fido2/ - **Microsoft Passkeys**: https://www.microsoft.com/en-us/security/business/security-101/what-is-fido2 - **Google Passkeys**: Android and Chrome WebAuthn support