signzy

API Marketplace

downArrow

Solutions

downArrow

Resources

downArrow

Our Company

downArrow
Book a Demo
laptop
Logo
Responsive
Decorative line
← Back to Glossary

FIDO WebAuthn Authentication Standard

Global

Global

2019

Cybersecurity

Overview

The FIDO WebAuthn standard, finalized by the World Wide Web Consortium (W3C) in 2019, provides a global framework for passwordless, phishing-resistant authentication using public-key cryptography. Developed in collaboration with the FIDO (Fast IDentity Online) Alliance, it is part of the broader FIDO2 specification and works alongside the Client to Authenticator Protocol (CTAP).
WebAuthn enables users to authenticate using biometrics, security keys, or device-based authenticators, offering strong protection against credential theft. Credentials are unique per service and never stored on central servers. The standard is supported across all major browsers and platforms, making it applicable to banks, healthcare providers, government agencies, consumer platforms, and enterprise applications that require secure user verification.

Key Obligations

  • Implement WebAuthn for secure, passwordless login where applicable
  • Ensure compatibility with platform and roaming authenticators
  • Use public-key cryptography to prevent credential reuse and phishing
  • Adopt CTAP standards when integrating with hardware authenticators
  • Align authentication strategies with regulatory expectations from NIST, ENISA, and other authorities

Stay ahead of risk with Signzy

Explore tools that help you onboard, monitor, and verify with confidence

Identity Verification

Identity Verification

Use facial match and liveness checks paired with government ID verification to validate users while onboarding.

AML Screening

AML Screening

Screen users against Politically Exposed Persons (PEP), watchlists, sanctions lists, adverse media, and more through one-time screening and advanced monitoring.

Transaction Monitoring

Transaction Monitoring

Monitor transactions in real-time and analyse past behaviour to identify suspicious activities and ensure regulatory compliance across the user journey.

Related Regulations

Decorative icon
Identity Theft Red Flags Rule

Decorative icon
GLBA Safeguards Rule Compliance

Decorative icon
FIDO WebAuthn Authentication Standard

FAQ

Is NIST SP 800-63 legally required for private companies?

No. It is required for U.S. federal agencies but widely adopted by private entities as a best-practice framework.

What do IAL, AAL, and FAL stand for?

They stand for Identity Assurance Level, Authenticator Assurance Level, and Federation Assurance Level, used to assess identity system strength.

Who enforces compliance with NIST 800-63 for federal agencies?

The Office of Management and Budget (OMB) enforces it under memorandum M-19-17.

What types of businesses should follow NIST SP 800-63?

Financial institutions, healthcare providers, government contractors, and identity tech vendors often follow the standard to align with federal practices.