User Authentication

The Top 11 FIDO Authentication Solutions

Explore the top authentication solutions which support the open-standard FIDO authentication protocols, looking at features, and pricing.

The Top 11 FIDO Supported Authentication Providers include:
  • 1. Yubico YubiKey
  • 2. Thales SafeNet Trusted Access
  • 3. RSA SecurID
  • 4. Prove Auth
  • 5. Ping Identity PingOne For Workforce
  • 6. Okta Workforce Identity
  • 7. Microsoft Entra
  • 8. HID Crescendo Key Series
  • 9. Google Cloud
  • 10. Duo Security
  • 11. Apple Passkeys

FIDO is an open standard authentication technology which enables highly secure, passwordless and phishing resistant multi-factor authentication for users. From its conception in 2009, FIDO has been an open standard protocol, developed by an alliance of major technology leaders for use across different technologies, devices and operating systems. FIDO is now widely supported by the Chrome, Windows, FireFox, iOS, MacOs, and Android systems.

FIDO2 (also referred to as WebAuthn) uses standard public key cryptography protocols to bypass the need for a password. When a user registers with an online service, the FIDO2 supported device creates a new key pair. The trusted device stores this private key locally, while the public key is registered to the online service.

When the user logs into the online service, the local device issues an authentication challenge, such as asking for the device password, a biometric check, or a hardware token. When the challenge is passed, the private key can be matched with the public key, and the user can access their accounts or services.

Replacing passwords with FIDO-supported authentication profoundly improves security. It reduces the risk of account compromise by enforcing phishing resistant two-factor authentication, removing the use of weak passwords, and supporting the use of biometrics which make it extremely difficult for attackers to compromise your accounts.

As FIDO is open standard, a range of identity and technology applications and devices have emerged which support FIDO authentication standards and integrations. Some are linked to specific operating systems and devices – such as Apple Passkeys and Windows Hello – while others are designed for enterprise use cases, such as Yubico’s Yubikey and Cisco’s Duo. Some of these platforms also support secure Single Sign-On (SSO). In this shortlist, we’ll look at the top FIDO supported authentication solutions, comparing features, and pricing. 

Yubico Logo

Yubico is a leading manufacturer of FIDO-enabled hardware tokens that enable secure authentication for devices, digital accounts, and services. These small, convenient devices use USB or NFC connections for highly secure authentication. Users can simply insert or tab their Yubikey device to authenticate their identity and access accounts and services. Yubico is widely supported by hundreds of applications and services.

 Yubico YubiKey Features:

  • Secure, phishing resistant authentication methods with FIDO enabled hardware keys and passwordless software tokens
  • Simplified end-user experience with faster authentication process
  • Widely supported form factor with pre-built support for over 1,000+ applications and services
  • Can be used to secure access to devices as well as digital accounts and services
  • Alongside FIDO, YubiKey’s support multiple authentication protocols including Smart card, OTP, OpenPGP 3

How FIDO Works: Users simply enter their username and password, tap or insert their FIDO supported YubiKey, and will then be authenticated to the account, service or trusted device.

Yubico YubiKey Pricing: Pricing for the YubiKey series starts at $45 USD for a single device. Reseller and enterprise pricing can be requested from Yubico directly.

Expert Insights’ Comments: The YubiKey is a secure, convenient FIDO-supported authentication method. Yubico customers praise the devices for their simplicity and ease of use, enabling more secure, more seamless login processes. We recommend this service to enterprise organizations looking to implement secure authentication processes to protect against phishing attempts and multi-factor authentication bypass attacks.

Thales Logo

SafeNet Trusted Access is an identity and access management solution for enterprise organizations. It enables admins to configure granular risk-based access policies to ensure only authenticated users can access solutions and services, while enforcing secure MFA, with support for passwordless FIDO authentication. SafeNet Trusted Access supports a wide range of authentication methods and form factors – these include hardware tokens, software, OTPs, and pattern-based authentication.

SafeNet Trusted Access Features:

  • Passwordless FIDO authentication with wide support for multiple form factors, including Thales’ own hardware, YubiKeys, and Windows Hello
  • Granular access policies based on contextual risk, with robust reporting and admin controls
  • Supports integrations with hundreds of applications and all devices and operating systems
  • User self-provisioning to ensure smooth deployment; admins can easily disable, enable and manage linked FIDO authentication devices from their dashboard

How FIDO Works: Users are able to self-enrol and add FIDO supported authenticators by logging into the Thales system. Once added (and depending on access policies set by the organization) they can select a FIDO-enabled authentication method, such as Windows Hello or Thales own hardware keys, and add this to their supported authentication method to enable secure passwordless account access.

Expert Insights’ Comments: SafeNet Trusted Access is a leading identity and access management provider, supporting a broad range of FIDO-enabled authentication process including their own hardware tokens, or OS specific protocols such as Windows Hello. The ability to configure contextual access policies, with SafeNet Trusted Access, adds an extra layer of security on top of the FIDO standard to prevent enterprise account compromise. We recommend this solution this solution for enterprise organizations.

RSA Logo

RSA Security is a globally leading authentication provider of identity governance and access management solutions for both cloud and on-premises deployments. SecurID is their portfolio of authentication solutions covering a broad range of methods including physical keys, digital tokens, push notifications, and passwordless authentication.

RSA SecurID Features:

  • Supports FIDO2 security keys for passwordless or second-factor authentication checks, and U2F keys for additional authentication
  • Secure single sign-on supporting a broad range of authentication options, including MFA, tokens, OTPs, and passwordless
  • Identity governance and lifecycle management for full visibility and compliance with granular access policies
  • Seamless, easy to use multi-factor authentication process for the end user
  • Ideal for large organizations, public sector, and government agencies looking to implement zero trust

How FIDO Works: SecurID supports FIDO2 certified keys and U2F-compliant security keys as an authentication option, including YubiKeys. FIDO2 can be used as a passwordless authentication option, or for a second factor of authentication with a username and passwords. U2F keys enable additional factors of authentication.

RSA SecurID Pricing: RSA SecurID pricing can be obtained by contacting SecurID directly.

Expert Insights’ Comments: RSA SecurID is a trusted authentication provider, offering a secure, easy to use FIDO-enabled authentication suite. Their broad range of hardware tokens and digital authentication options, with granular identity governance and compliance policies, mean this solution is a strong option for large enterprises, the public sector, and government agencies.

Prove Logo

Prove is a leading user authentication and identity verification provider that enables organizations to ensure secure consumer access to applications and services. Prove Auth is their passwordless, OTP-less authentication solution that enables secure, omni-channel access to web and mobile applications. The solution leverages Prove’s “Phone-Centric Identity” model to verify users’ identities based on data derived from their cell phones, enabling secure, frictionless authentication.

Prove Auth Features

  • Secure, remote authentication via Prove’s FIDO2 web-based authentication, with the option to step-up authentication with push notifications or biometrics
  • “Phone-Centric Identity” model verifies users based on possession (the user must be physically holding the phone in real-time), reputation (the phone’s historical behavior must be low-risk), and ownership (the phone number must be operated by the user)
  • Cryptographic authentication model enables silent, out-of-band authentication in any channel

How FIDO Works: With Prove Auth, users can authenticate using FIDO2 web-based authentication, push notifications, or using on-device biometrics.

Expert Insights’ Comments: Prove Auth enables organizations to reduce friction in the authentication process, whilst increasing security by removing the risk of passwords and One-Time-Passcodes (OTPs). This robust authentication solution is well-suited to both SMBs and larger enterprises looking to enable secure, seamless authentication and mitigate the risk of account takeover and fraud.

Prove Logo
Ping Identity Logo

Ping Identity is a digital identity security provider offering a portfolio of identity and access management and zero trust solutions, including FIDO-compliant authentication. Headquartered in Denver, Colorado, with offices around the globe, Ping Identity manages over three billion workforce and customer identities. In 2022, Ping Identity was acquired by Thoma Bravo.

Ping Identity PingOne For Workforce Features:

  • Secure, adaptive multi-factor authentication and single sign-on for workforce security
  • Centralized management and control with granular authentication policies and drag and drop workflows
  • Covers all enterprise applications and services including cloud, on-prem, and custom applications
  • Clear reporting and easy-to-manage administration dashboard
  • Supports a broad range of authentication methods and form factors

How FIDO Works: PingID supports FIDO2 biometrics and security keys for authentication, meaning users can use FIDO enabled biometric checks. Out of the box, this includes Windows Hello, Mac TouchID, dedicated FIDO security keys, and Android biometrics. API- based connections using custom UIs can also be configured.

Ping Identity PingOne For Workforce Pricing: PingOne for Workforce starts at $3 per user, per month, for centralized SSO, MFA, and directory services for SaaS applications. Plans also offer enhanced adaptive MFA and passwordless authentication is available for $6 per user, per month. For Premium enterprise pricing, contact the PingOne sales team directly.

Expert Insights’ Comments: Ping Identity is a leading authentication provider. Their identity suite is comprehensive, with a granular feature set, broad integrations, and a simple, no code engine for managing user identities and access. We recommend Ping Identity for organizations of all sizes, particularly those in the financial services, retail, manufacturing healthcare, and government sectors.

Okta Logo

Okta Workforce Identity is a market leading identity provider, offering a range of solutions designed to help organizations manage both workforce and consumer identities, including SSO, MFA, active directory, and identity governance. Okta are headquartered in San Francisco, CA, and currently manage identities for over 10,000 organizations, including Slack, T-Mobile, JetBlue, and Twilio.

Okta Workforce Identity Features:

  • Secure single sign-on with over 7,000 pre-built integrations in the Okta Integration Network
  • Adaptive, multi-factor authentication – with proactive security controls to block suspicious attempts
  • Lifecycle management and no-code workflow management
  • Comprehensive identity governance and administration with granular access policies and workflows

How FIDO Works: Okta’s FDIO2 authenticator enables users to authenticate using biometrics. There is support for both security keys, such as YubiKey, and device authentication methods such as Windows Hello, or Apple’s TouchID. Admins can choose whether to enable FIDO-supported authentication methods from the admin console.

Okta Workforce Identity Pricing: With Okta Workforce Identity, you can build your own plan, based on the features you require – for example SSO starts at $2 per user, per month, MFA starts at $3 per user, per month, and lifecycle management starts at $4 per user, per month. There are volume discounts available for Enterprise customers (over 5,000 users), and there is a minimum contract spend of $1,500.

Expert Insights’ Comments: Okta Workforce Identity is a leading identity management and governance platform, with a strong feature set, thousands of pre-built integrations, and a wide range of supported authentication methods. We’d recommend this solution to mid-sized and larger organizations, particularly for the public sector, financial services, retail, healthcare, and technology industries.

Microsoft Logo

Microsoft Entra encompasses Microsoft’s full suite of identity and access management solutions for enterprises. It includes Microsoft Azure Active Directory, Microsoft’s cloud-based directory service which is widely used for employee access management and user authentication. Entra is designed to protect access to all applications and services.

Microsoft Entra Features:

  • Protect access to applications and resources with permissions management and multi-factor authentication
  • Manage lifecycles and user privileges to enforce zero trust principles
  • Simple and convenient sign-in experience for users with multiple authentication methods supported
  • Secure identities for all employees, customers, partners, apps, devices, and workloads

How FIDO Works: Microsoft governs user authentication through Azure AD, which supports multiple authentication methods, including FIDO2 security keys for passwordless authentication. This includes Windows Hello, with biometrics credentials tied to the user’s PC, and third-party FIDO hardware such as YubiKeys. Users can register and select a FIDO2 security key when configuring their account sign-in preferences.

Microsoft Entra Pricing: Microsoft Entra pricing is dependent on specific products and Microsoft 365 licensing options. Pricing can be obtained by contacting Microsoft directly.

Expert Insights’ Comments: Microsoft’s Entra suite of identity and access management solutions are a strong choice for organizations looking to roll out FIDO-enabled multi-factor authentication for employees. It is particularly suited to those operating in the cloud-based Microsoft ecosystem with Microsoft 365 and Windows devices. Microsoft’s device biometrics, Windows Hello, can also be used as an authentication method with many of the other identity and access management solutions on this list.

HID Logo

HID is a global authentication provider, securing identities for millions of people all over the world. They work with governments, hospitals, universities, financial institutions, and large enterprises to deliver secure authentication process and access management capabilities across a huge product portfolio. HID’s Crescendo key cards offer high assurance digital authentication and implements multiple authentication methods, including FIDO.

HID Crescendo Key Series Features: 

  • Seamless and secure access to networks, computers, and applications
  • Data encryption to ensure only authorized users can access sensitive information
  • Small and convenient hardware cards
  • Can be used stand-alone or alongside HID’s cloud-based Workforce ID credential manager solution or as an authentication method for HID MFA
  • Fully compliant, enabling compliance with GDPR, CCPA, HIPAA etc.,
  • Unified cloud-and on-premises authentication and lifecycle credential management system

How FIDO Works: The HID Crescendo Key Series offers FIDO2 and FIDO U2F enabled authentication for both passwordless authentication and an additional authentication process alongside the username and password. Form factors include smart cards, and security keys.

HID Crescendo Key Series Pricing: HID Crescendo Key Series pricing can be obtained by contacting HID’s sales team directly.

Expert Insights’ Comments: HID are a leading authentication provider, offering a huge range of authentication solutions to secure and manage access to workforce applications, networks, and devices. The Crescendo key series is a strong choice for organizations looking to implement compliant, FIDO-based authentication, with full lifecycle credential management provided by HID’s comprehensive identity management solution. We recommend this solution for the enterprise, banking, retail, education, government, healthcare, manufacturing, and retail sectors.

Google Cloud logo

Google Cloud offers a range of identity and access management security features to help simplify and control access to applications and manage user identities as part of its BeyondCorp enterprise zero trust security suite. This includes using Android 7+ phones as secure FIDO2 keys, enabling seamless and secure user access.

Google Cloud Features:

  • Context-aware access and authentication security checks
  • FIDO2 keys built into Android 7+ phones to enable secure and seamless access for Android users
  • Single sign-on to thousands of applications and services
  • Identity management platform for managing access to your own applications and services 

How FIDO Works: FIDO2 security keys are built into all smartphones and devices running Google’s Android 7+ operating system, enabling phishing resistant authentication using biometrics or a PIN. Google also offers a FIDO security key: Titan.

Google Cloud Pricing: Contact Google Cloud directly or use their online pricing calculator to obtain pricing for your organization.

Expert Insights’ Comments: Google has been a key driver of the FIDO authentication technology standard. Rolling FIDO2 keys out across Android 7+ devices will enable millions of Google users to securely use their smartphone device for secure, phishing resistant authentication, both for Google services and third-party applications. Google Cloud is a strong choice for organizations looking to implement enterprise ready IAM solutions.

Duo Logo

Duo is a leading authentication solution acquired by Cisco in 2018. Duo provides secure authentication and zero trust security for organizations of all sizes, securing access to all devices and applications with multi-factor authentication and single sign-on. Duo support over 35,000 customers across 100 countries and are headquartered in Ann Arbor, MI.

Duo Security Features:

  • Scalable MFA that works across most major apps out of the box and integrates with custom applications
  • Secure remote access with granular access policies for home and office workforce users
  • Device trust verification to enforce contextual access policies and prevent device compromise
  • Single sign-on with a user-friendly dashboard to access all applications
  • Granular, adaptive custom access policies for all apps and networks

How FIDO Works: Duo supports security keys using the WebAuthn (FIDO2) authentication standard for user authentication. Duo also supports FIDO2 with device authentications, such as Touch ID on MacOS.

Duo Security Pricing: Duo is available as a free application for up to 10 users. Paid plans start at $3 per user, per month, for Duo MFA. Duo Access starts at $6 per user, per month, with secure application access and SSO. Duo Beyond includes all features and starts at $9 per user, per month, including additional endpoint monitoring features.

Expert Insights’ Comments: Duo Security offer a leading authentication platform for organizations of all sizes. Their authentication solution is easy-to-use for end users, with granular control and access management capabilities for admins. The device trust feature secures workforce devices, helping to prevent compromise, while secure single sign-on makes the authentication process seamless for end users. We recommend this solution to teams looking for a secure, adaptive authentication solution.

Apple Logo

Apple has rolled out Passkeys (a term for FIDO2 credentials) for all iCloud users. Passkeys are based on the FIDO 2/WebAuthn standard and can be used across all Apple and non-Apple devices. On Apple devices, Touch ID or Face ID can be used to authenticate user identities and replace the use of a password for more secure, phishing resistant authentication process.

Apple Passkeys Features:

  • Passwords are removed entirely to minimize the risk of a phishing attack
  • Available for all iCloud devices, synced via the Apple iCloud ‘Keychain’ features
  • Existing accounts can be switched to passwordless, FIDO2 authentication methods, and new accounts can be set-up via the “Login with Apple” feature where supported
  • iPhone’s can now be used as FIDO supported security tokens on third-party enterprise applications

How FIDO Works: Passkeys replace passwords with cryptographic key pairs. One is public, one is held on your personal device and can only be accessed with biometric verification on supported Apple devices. iCloud Keychain syncs keys across your Apple devices and are end-to-end encryption, so even Apple cannot read them.

Apple Passkeys Pricing: Apple Passkeys are available for all iCloud users.

Expert Insights’ Comments: Apple Passkeys are a secure and convenient way for iCloud users to start replacing passwords with the secure, phishing resistant FIDO2 authentication standard. Support for this method authentication is, however, down to developers to build into their applications – though it is likely to become widespread over time. Passkeys also mean Apple devices can now also be used as FIDO2 enabled security keys with third party applications and other identity providers on this list.

The Top 11 FIDO Authentication Solutions