FIDO2: Passwordless Authentication Principles in the EUDI Wallet

FIDO2 is an open authentication standard consisting of the W3C Web Authentication (WebAuthn) specification and the FIDO Alliance Client to Authenticator Protocol (CTAP). Together, these specifications enable passwordless authentication where users prove their identity using cryptographic key pairs stored on their devices, unlocked through biometrics (fingerprint, face recognition) or PINs. FIDO2 eliminates the security weaknesses of passwords -- phishing, credential stuffing, and password reuse -- by ensuring that authentication credentials never leave the user's device. The EUDI Wallet shares this architectural philosophy: like FIDO2, wallet credentials are device-bound, require local user authentication, and use public key cryptography to prove identity without transmitting secrets.

FIDO2 consists of two complementary specifications that work together to enable passwordless authentication:

• •Web Authentication (WebAuthn): A W3C standard defining how web applications interact with authenticators through the browser. WebAuthn provides the JavaScript API that websites use to request credential creation and assertion. It handles the communication between the relying party (website), the browser, and the authenticator, including origin binding that prevents phishing.
• •Client to Authenticator Protocol (CTAP): A FIDO Alliance protocol defining how the browser communicates with external authenticators (USB security keys, NFC tokens) or platform authenticators (built-in secure elements). CTAP2 supports PIN and biometric user verification on the authenticator device.

Together, these create a complete authentication flow: the user visits a website, the website requests authentication via WebAuthn, the browser communicates with the authenticator via CTAP, the user verifies their identity (biometric/PIN), the authenticator signs a challenge, and the website verifies the signature. No passwords, no shared secrets, no phishing risk.

The EUDI Wallet and FIDO2 share fundamental security architecture principles, even though they serve different purposes:

Device-bound credentials: Both FIDO2 and EUDI Wallets bind cryptographic credentials to specific hardware. FIDO2 stores authentication private keys in the device platform authenticator or security key. EUDI Wallets store credential-binding keys in the device secure element. In both cases, the private key never leaves the hardware.

Local user verification: Both require the user to authenticate locally (biometric or PIN) before any credential operation. The server never sees the biometric data -- verification happens entirely on the device, and only the cryptographic result is transmitted.

Public key cryptography: Both use asymmetric key pairs where the verifier needs only the public key. This means server-side breaches do not compromise user credentials, and credentials cannot be phished because the private key is never transmitted. The EUDI Wallet extends this model by adding verifiable credentials with selective disclosure on top of the base public key authentication.

While the EUDI Wallet uses its own credential presentation protocol (OpenID4VP), FIDO2 plays a role in the broader wallet ecosystem in several ways:

Wallet app authentication: Users may authenticate to the wallet application using FIDO2/passkey-based login rather than passwords. This protects the wallet management interface (where users view credentials, manage settings, initiate backup) with phishing-resistant authentication.

Wallet provider account recovery: FIDO2 security keys provide a secure recovery mechanism when a user loses their primary device. A pre-registered security key can authenticate the user to their wallet provider, enabling credential re-issuance to a new device.

Relying party authentication: Websites and apps that accept EUDI Wallet credentials may also offer FIDO2/passkey login as an alternative or supplementary authentication method. As the EUDI ecosystem matures, integration between wallet credentials and FIDO2 passkeys may provide users with a unified, passwordless authentication experience across both identity verification and account login scenarios.