Fido is basically U2F which is universal two-factor.
Fido2 is designed for passwordless operation. This means it’s the primary factor, not a secondary factor. The difference comes down to, for lack of a more nuanced explanation, supporting user authentication of some sort on the security token. Typically this means setting and using a PIN code for the token. In this way, nobody can simply find your security key and log into your stuff without knowing at least some factor. You could call it a simplified password if you want but basically it’s the primary difference between U2F and Fido2.
The industry is, of course, muddling things as they often do.
Passkeys are based on Fido2, however they are based on a very specific type of Fido2 - resident keys. There are two ways you can authenticate with a fido2 security token. The first is similar to u2f where the relying party (website, service, etc.) basically challenges your token and stores the public key of your token in its database. The next time you show up, it issues challenges based on that public key and if your key response correctly then hooray. It’s a little more involved than that to tie in url data and spoof protection and phishing attack protection, but that’s basically how it works.
Resident keys work a little differently. As you might surmise, the relying party creates a unique key that resides on your security token which is used to authenticate in a similar fashion.
Passkeys are basically a marketing term that is struggling to come to grips with also trying to become a technical specification. Basically, we have been going through a series of big bumps the last 24 months or … some websites say hey you can register a fido2 security key and when you do that it’s putting a resident key on your security token, while Apple and Google started pushing the idea of passkeys which are really no different but they created this term basically to push the idea that your device is the key… and by device they mean your phones and computers. They wanted a way to differentiate what they are leveraging the fido2 standard for vs traditional security keys.
My personal thought is that this is a terrible idea. If you are securing your access to cloud services and effectively securing your personal identity across the entire cloud using a device that is easily hacked, stolen, lost, forgotten, whatever… that’s like putting all your eggs in one basket. Of course the idea is that you would be able to do passkey revocation if you lose one of your devices but managing all of that is a it show nightmare once you get beyond just a few services.
Keeping your passkeys or resident keys or whatever you want to call them with you at all times in your body seems like a much easier management issue. Particularly if you have two Apex so you have a backup just in case. Management however is still the name of the game.
Basically, you could use any standard fido2 resident key management software package to manage the resident keys on your Apex… the problem is it’s just not a software suite out there. I think Yubico something, but I’m pretty sure it only works with their security tokens.
We do have plans for integrating better management for other applications on Apex into the Apex manager smartphone app. This includes Fido key management, but there is no ETA for these features.
Anybody with development skills who might want to contribute, let me know 