TL;DR: FIDO2 expands passwordless authentication by using public and private key pairs, hardware security keys, and WebAuthn to reduce phishing exposure and reliance on passwords, according to Bitwarden. For IAM teams, the shift matters because stronger authenticators change recovery, device trust, and account lockout design rather than simply adding a second factor.
NHIMG editorial — based on content published by Bitwarden: FIDO2 passwordless authentication and two-step login
Questions worth separating out
Q: How should security teams roll out FIDO2 without locking users out?
A: Start with privileged and high-risk accounts, require a backup authenticator or recovery code before enforcement, and test the full recovery path before removing older methods.
Q: Why do hardware security keys improve human identity assurance?
A: Hardware keys improve assurance because the private key stays on the device and the login response is bound to the legitimate origin.
Q: What do organisations get wrong about passwordless authentication?
A: They often focus on removing passwords and ignore recovery design.
Practitioner guidance
- Prioritise phishing-resistant authenticators for privileged users Replace SMS and weak fallback methods for administrators, finance teams, and other high-risk accounts with hardware-key based login.
- Map passwordless to the full login and recovery journey Document where the master password, FIDO2 assertion, recovery code, and backup key each apply.
- Register backup keys before enforcing rollout deadlines Require a second registered hardware key or equivalent recovery control before removing legacy methods.
What's in the full article
Bitwarden's full article covers the implementation detail this post intentionally leaves for the source:
- Step-by-step setup guidance for enabling FIDO2 in the Bitwarden web vault and desktop clients
- Platform-specific notes on supported security keys, including mobile client behaviour and NFC use
- Account recovery guidance, including backup key registration and recovery code handling
- Plan-specific limits and product settings that affect how many security keys can be registered
👉 Read Bitwarden's guide to FIDO2 passwordless authentication and two-step login →
FIDO2 passwordless login: are your human auth controls ready?
Explore further
FIDO2 shifts human authentication from secret reuse to cryptographic possession. That is the right direction for human IAM because it reduces dependence on passwords that can be phished, guessed, or replayed. The critical change is not just stronger login. It is that the service now verifies an origin-bound key exchange instead of a shared secret, which materially narrows the attack surface for account takeover.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: How do IAM teams decide between FIDO2, TOTP, and SMS codes?
A: Use FIDO2 where phishing resistance matters most, TOTP where hardware keys are not yet practical, and avoid SMS for anything high risk because SIM-swap abuse weakens it. The decision should follow the sensitivity of the account and the recovery burden you can actually support.
👉 Read our full editorial: FIDO2 passwordless login changes human identity assurance