The goal of this article is to highlight the operating system and browser ecosystem support for FIDO. The information provided is based on general availability (GA) operating system and browser releases and YubiKeys that support the FIDO standards.
FIDO is a set of open standards for secure and easy to use, phishing-resistant web authentication. For the purpose of this article, passkey, WebAuthn credential, FIDO credential and FIDO2 credential are equivalent. Additionally, some websites may refer to the creation of a FIDO credential as using a security key. All of these may refer to the process of creating a FIDO credential on a FIDO security key, like the YubiKey.
Since the arrival of the FIDO2 standard in 2018, there has been a steady shift away from web browsers providing support for FIDO credentials, and towards APIs that are made available by the operating system. There is now a mix of support provided by operating systems and by browsers, collectively referred to as platforms.
Operating systems, browsers and platforms
While there are a large number of browser and operating system combinations, because of the differences in ways that support for FIDO is delivered on different platforms, some of those combinations may use the same underlying mechanism to provide FIDO credential support.
Use this chart to determine which FIDO platform is in use for each browser and platform combination:
Windows 10 | Windows 11 | macOS | iOS / iPadOS | Android | Linux | |
Chrome & Edge (Chromium-based browsers) |
Windows 10 | Windows 11 |
Chrome on macOS and Linux |
Safari |
Play Services |
Chrome on macOS and Linux |
Safari | N/A | N/A | Safari | Safari | N/A | N/A |
Firefox | Windows 10 | Windows 11 | Safari | Safari |
Play Services |
Firefox on Linux |
On Windows 10 and Windows 11, the FIDO support is provided by a Windows API, and all applications including web browsers must use that support unless they’re run with administrative privileges.
On iOS and iPadOS, the FIDO support is provided by an Apple API, and all web browsers must utilize that support.
On macOS, a FIDO API is provided, but its use is not mandatory:
- Safari uses the built-in Apple API
- Firefox uses the built-in API by default, but that is configurable
- Chrome does not use the built-in API for hardware security keys
On Android (version 9 or higher), FIDO support may be provided by Google Play Services (version 24 or higher) on devices that have it installed.
On Linux-based operating systems, there is no system wide API available, so each browser must provide its own FIDO support.
Common use cases
When using FIDO on a YubiKey with a web browser to log in to a website or identity provider, there are three distinct flows:
- The first, which is most similar to the original U2F standard, is FIDO as a second factor. This relies on traditional username and password authentication, and then using a YubiKey or similar FIDO device as an MFA factor. This flow is typically used with web sites that have security key support.
- The second, passwordless, was introduced with FIDO2. It relies on getting the username either by prompting the user or using persistent cookies, and then prompting the user to use their YubiKey with a PIN.
- The third, usernameless, was also introduced with FIDO2, and has been popularized as passkey logon, where the user only needs to activate their FIDO device using a PIN or biometric, and they can be securely logged into a service.
Additionally, there are two more common use cases:
- Initial PIN setup happens the first time a user encounters a situation that requires use of a PIN. PIN setup must be successful to continue, but it can be done beforehand on a supported operating system or browser.
- Initial fingerprint setup refers to the first time a user enrolls a fingerprint on a YubiKey Bio Series device. This is optional on YubiKey Bio Series devices, and can be done at any time. You do not need to use the same browser or device to enroll fingerprints.
Passwordless, usernameless, and initial PIN setup are not supported on U2F-only devices such as the YubiKey 4 Series and the YubiKey NEO.
Windows 10 | Windows 11 |
Chrome on macOS and Linux |
Safari |
Google Play Services (Android) |
Firefox on Linux |
|
Usernameless |
✅USB ✅NFC |
✅USB ✅NFC |
✅USB |
✅USB ✅NFC |
✅USB ❌NFC |
✅USB |
Passwordless |
✅USB ✅NFC |
✅USB ✅NFC |
✅USB |
✅USB ✅NFC |
✅USB ❌NFC |
✅USB |
Second Factor |
✅USB ✅NFC |
✅USB ✅NFC |
✅USB |
✅USB ✅NFC |
✅USB ✅NFC |
✅USB |
Initial PIN Setup |
✅USB ✅NFC |
✅USB ✅NFC |
✅USB |
✅USB ✅NFC |
✅USB ❌NFC |
❌ |
Initial Fingerprint Setup |
✅USB1 | ✅USB2 | ✅USB3 | ❌ | ❌ | ❌ |
Feature support
Windows 10 | Windows 11 |
Chrome on macOS and Linux |
Safari |
Google Play Services (Android) |
Firefox on Linux |
|
AlwaysUV |
✅USB ✅NFC |
✅USB ✅NFC |
✅USB | ❌ |
✅USB4 ❌NFC |
✅USB |
❌ |
✅USB ✅NFC |
✅USB | ❌ | ❌ | ❌ |
1 Windows 10 allows for the enrollment of new fingerprints, but will not prompt for it automatically.
2 Windows 11 allows for the enrollment of new fingerprints, but will not prompt for it automatically.
3 Chrome on macOS and Linux will prompt for biometric enrollment any time the user registers the YubiKey on a new site if fingerprints aren’t already enrolled.
4 Firefox for Android lacks full support for the AlwaysUV feature