FIDO2 (Fast Identity Online 2)

FIDO2 est le standard d'authentification forte phishing-resistant développé par FIDO Alliance + W3C, composé de 2 specs : WebAuthn (client-side browser API W3C) + CTAP2 (Client-to-Authenticator Protocol pour external authenticators YubiKey/Touch ID). Élimine besoin de mots de passe via clés cryptographiques publique/privée stockées dans hardware tamper-resistant.

Fonctionnement :
(1) **Registration** — user creates new credential : private key generated dans authenticator (hardware secure element), public key sent au server avec attestation. Server stores public key associated user.
(2) **Authentication** — server sends random challenge, authenticator signs avec private key (after user gesture : touch button, biometric), server verifies signature avec stored public key.
(3) **Origin binding** — credential bound to relying party origin (domain) — phishing impossible car credential ne se déclenchera pas sur fake domain (browser enforce).
(4) **No shared secrets** — private key never leaves authenticator, no database of secrets to breach.

Authenticators supportés :
(1) **Platform authenticators** — built-in : Touch ID/Face ID (Apple), Windows Hello (Microsoft), Android biometrics, fingerprint readers laptops.
(2) **Roaming authenticators** — external USB/NFC/Bluetooth : YubiKey 5, Google Titan, Feitian, Nitrokey, SoloKey.
(3) **Passkeys** — passwordless evolution (depuis 2022) avec syncing across devices (iCloud Keychain, Google Password Manager, 1Password, Dashlane, Bitwarden).

Force vs alternatives :
(1) **vs Passwords** — no phishing, no breaches, no brute force.
(2) **vs SMS OTP** — no SIM swap risk, no SMS interception.
(3) **vs TOTP apps** (Google Authenticator) — much harder phishing (no codes typed) ; vs adversary-in-the-middle (Evilginx) — FIDO2 phishing-proof, TOTP not.
(4) **vs Push notifications** — no MFA fatigue.

Adoption : (1) **Big Tech** — Apple, Google, Microsoft committed passkeys 2022+. ; (2) **Browsers** — Chrome, Safari, Edge, Firefox support WebAuthn. ; (3) **Enterprise** — Microsoft phishing-resistant MFA mandate, Google internal mandate, AWS enforced for root accounts ; (4) **CISA, NIST 800-63B AAL3** recommend FIDO2.

Deployment : (1) **Self-host** via webauthn libraries (SimpleWebAuthn, Hanko, Passlock) ; (2) **IdP-managed** — Okta, Auth0, Microsoft Entra ID, Google Workspace support passkeys/security keys natively. Compétences SC-300, AZ-500, Security+, CISSP.