What is FIDO2 and how does it work?

FIDO2 is an open authentication standard developed by the FIDO Alliance and the W3C. It enables passwordless login using public-key cryptography. When you register a FIDO2 security key with a website, a unique cryptographic key pair is generated. The private key stays on your device and never leaves it, while the public key is stored by the service. During login, the service sends a challenge that only your private key can sign, proving your identity without transmitting any secret.

What is the difference between FIDO2 and WebAuthn?

WebAuthn (Web Authentication) is the browser-side JavaScript API that is part of the broader FIDO2 standard. FIDO2 consists of two components: WebAuthn, which handles the communication between the browser and the relying party (website), and CTAP (Client to Authenticator Protocol), which handles communication between the browser and the authenticator device. When people say 'FIDO2 key' they mean a hardware device that supports both WebAuthn and CTAP.

What browsers support WebAuthn and FIDO2?

All major modern browsers support WebAuthn: Google Chrome (version 67+), Mozilla Firefox (version 60+), Microsoft Edge (version 18+), Apple Safari (version 13+), and Opera (version 54+). Mobile browsers on Android and iOS also support WebAuthn. You can use this testing tool to verify that your specific browser and security key combination works correctly.

What is a resident key (discoverable credential)?

A resident key, also known as a discoverable credential, is a FIDO2 credential stored directly on the authenticator device rather than on the server. This enables truly passwordless login — you do not even need to enter a username. The authenticator holds the credential and can present it when requested by the relying party. Not all FIDO2 keys support resident keys, and storage capacity varies by device. Use this tool's 'Register with Resident Key' option to test if your device supports this feature.

What are attestation types in FIDO2?

Attestation is how a FIDO2 authenticator proves its identity and origin to a relying party during registration. There are three attestation types: 'None' means the server does not request proof of the authenticator's identity. 'Indirect' means the server requests attestation data but allows the authenticator to anonymize it. 'Direct' means the server requests the authenticator's full attestation statement, which can include make and model information. Most consumer scenarios use 'None', while enterprise deployments often require 'Direct' to enforce device policies.

How do I test my FIDO2 security key?

To test your FIDO2 security key: 1) Enter any username in the field above. 2) Choose your preferred attestation type (start with 'None' for basic testing). 3) Select a user verification option. 4) Click 'Register' to create a test credential. 5) After successful registration, click 'Login' to verify authentication works. 6) If you registered with a resident key, try 'Resident Login' without entering a username. 7) If you have a Cryptnox FIDO2 card, use 'Check Authenticity' to verify your device is genuine.

Free FIDO2 & WebAuthn Testing Tool — Test Your Security Key

How to Use This FIDO2 Testing Tool

This free tool lets you test any FIDO2-certified security key or passkey directly in your browser using the WebAuthn API. No software installation is required — everything runs client-side. Here's how to get started:

Step 1: Register a Test Credential

Enter any username in the field above. This doesn't need to be a real account — it's purely for testing purposes. Choose your preferred configuration options (explained below), then click Register. Your browser will prompt you to interact with your security key — tap it, enter a PIN, or use biometrics depending on your device.

Step 2: Test Authentication

After successful registration, click Login to test the authentication flow. Enter the same username you registered with, then interact with your security key when prompted. A successful authentication confirms your key is working correctly with the WebAuthn protocol.

Step 3: Test Resident Key Login (Optional)

If you registered with the Resident Key option set to "Yes," you can test passwordless login by clicking Resident Login. This authenticates you without requiring a username — the credential is stored directly on your security key. This is the foundation of true passwordless authentication.

Step 4: Verify Cryptnox Device Authenticity

If you're using a Cryptnox FIDO2 security key card, click Check Authenticity to cryptographically verify that your card is a genuine Cryptnox device. This uses the card's embedded attestation certificate to confirm authenticity — no username required.

Understanding FIDO2 Configuration Options

Attestation Type

Attestation determines how much information your security key shares about itself during registration:

None: The server does not request any attestation data. Best for general-purpose testing and consumer scenarios where device identity verification isn't needed.
Indirect: The server requests attestation data, but the authenticator may anonymize it. This provides some device information without full disclosure.
Direct: The server requests the authenticator's full attestation statement, which can include the device manufacturer, model, and certification status. Used in enterprise environments that enforce device policies.

User Verification

User verification adds a second factor at the authenticator level — typically a PIN, fingerprint, or face recognition:

Discouraged: The authenticator should not perform user verification. Fastest option, but offers only single-factor (possession) security.
Preferred: The authenticator should perform user verification if capable, but authentication proceeds even if verification isn't available.
Required: The authenticator must perform user verification. Authentication fails if the device cannot verify the user (e.g., if no PIN is set).

Resident Key (Discoverable Credential)

A resident key is a FIDO2 credential stored directly on the authenticator rather than held by the server:

No: The credential is managed server-side. A username is required at login so the server can find the corresponding public key.
Yes: The credential is stored on the authenticator. This enables truly passwordless login — the user doesn't need to enter a username because the authenticator presents the credential automatically.

Not all authenticators support resident keys. Storage capacity varies — some FIDO2 keys can store 25+ resident credentials, while others support fewer. This tool lets you test whether your device supports resident key storage.

What Is FIDO2 and WebAuthn?

FIDO2 is an open authentication standard developed by the FIDO Alliance and the W3C that enables strong, passwordless authentication using public-key cryptography. It is composed of two complementary specifications:

WebAuthn (Web Authentication API): A W3C standard that defines the JavaScript API browsers use to communicate with relying parties (websites). WebAuthn handles the registration and authentication ceremonies between your browser and the service you're logging into.
CTAP (Client to Authenticator Protocol): A FIDO Alliance specification that defines how browsers communicate with external authenticators — such as USB security keys, NFC cards, or Bluetooth devices. CTAP2 is the current version, and it's what enables roaming authenticators like Cryptnox FIDO2 cards to work across devices.

Together, WebAuthn and CTAP2 form the complete FIDO2 framework. When a website supports FIDO2, you can register a hardware security key and then use it to log in without ever typing a password. The private key never leaves your authenticator, and each registration creates a unique key pair per service — eliminating the risks of password reuse, phishing, and credential theft.

FIDO2 vs. Passkeys

Passkeys are an evolution of FIDO2 that extend the technology to platform authenticators (built into phones, laptops, and operating systems) and enable cross-device synchronization. Traditional FIDO2 security keys store credentials on the physical device only — if you lose the key, the credential is gone. Passkeys can be synced across devices through cloud services like iCloud Keychain or Google Password Manager. Both passkeys and FIDO2 hardware keys use the same WebAuthn protocol, which is why you can test both with this tool.

Why Test Your FIDO2 Security Key?

Testing your FIDO2 security key is important for several reasons:

Verify compatibility: Confirm that your key works with your browser and operating system before relying on it for critical accounts.
Understand capabilities: Discover whether your key supports resident keys, user verification, and specific attestation types.
Troubleshoot issues: If authentication fails on a specific website, use this tool to isolate whether the problem is with your key, your browser, or the website's implementation.
Learn the protocol: Developers and IT administrators can experiment with different WebAuthn configuration options to understand how they affect the authentication flow.

Frequently Asked Questions

What FIDO2 security keys work with this tool?

This tool works with any FIDO2-certified authenticator that supports the WebAuthn protocol. This includes USB security keys (like YubiKey and Feitian), NFC security key cards (like Cryptnox FIDO2 cards), built-in platform authenticators (Windows Hello, Touch ID, Face ID), and passkeys synced through your operating system. If your browser supports WebAuthn, this tool will work with your authenticator.

Is this tool safe to use?

Yes. All cryptographic operations run entirely in your browser using the WebAuthn API. Your private keys never leave your authenticator device. Test credentials are generated for this demo server only and expire after 24 hours. No personal data is collected or stored beyond the temporary test session.

What browsers support WebAuthn?

WebAuthn is supported by all major modern browsers: Chrome (67+), Firefox (60+), Edge (18+), Safari (13+), and Opera (54+). Mobile browsers on Android (Chrome, Samsung Internet) and iOS (Safari 14+) also support WebAuthn. For the best testing experience, use the latest version of your browser.

Why did registration or login fail?

Common reasons for failure include: your browser doesn't support the selected options (try setting Attestation to "None" and User Verification to "Discouraged"); your security key doesn't support resident keys (try setting Resident Key to "No"); a timeout occurred because the key wasn't tapped in time; the security key requires a PIN that hasn't been set up yet; or the key requires NFC and your device doesn't have an NFC reader — in that case, consider the Cryptnox Contactless Reader.

What makes Cryptnox FIDO2 cards different?

Cryptnox FIDO2 security key cards are credit-card-sized NFC smart cards that fit in your wallet. Unlike USB dongles, they connect wirelessly via NFC — simply tap the card to your phone or NFC reader to authenticate. They are FIDO2 Level 1 certified, support resident keys, and include a built-in authenticity verification feature you can test with the "Check Authenticity" button above. Learn more about Cryptnox FIDO2 cards →

Test Your Cryptnox FIDO2 Security Key

Cryptnox manufactures NFC-based FIDO2 security key cards that combine the security of hardware authentication with the convenience of a credit-card form factor. Our FIDO2 cards support passwordless login, resident keys, and work with Microsoft 365, Google, GitHub, and any service that supports the FIDO2/WebAuthn standard.

Shop Cryptnox FIDO2 Security Key Cards →

Visit Cryptnox.com →

FIDO2 & WebAuthn Testing Tool

Login & Authentication Options