Operating system and web browser support for FIDO2 and U2F


The goal of this article is to highlight the operating system and browser ecosystem support for FIDO. The information provided is based on general availability (GA) operating system and browser releases and YubiKeys that support the FIDO standards.

 

FIDO is a set of open standards for secure and easy to use, phishing-resistant web authentication. For the purpose of this article, passkey, WebAuthn credential, FIDO credential and FIDO2 credential are equivalent. Additionally, some websites may refer to the creation of a FIDO credential as using a security key. All of these may refer to the process of creating a FIDO credential on a FIDO security key, like the YubiKey.

 

Since the arrival of the FIDO2 standard in 2018, there has been a steady shift away from web browsers providing support for FIDO credentials, and towards APIs that are made available by the operating system. There is now a mix of support provided by operating systems and by browsers, collectively referred to as platforms.

 

Operating systems, browsers and platforms

While there are a large number of browser and operating system combinations, because of the differences in ways that support for FIDO is delivered on different platforms, some of those combinations may use the same underlying mechanism to provide FIDO credential support.

 

Use this chart to determine which FIDO platform is in use for each browser and platform combination:

  

  Windows 10 Windows 11 macOS iOS / iPadOS Android Linux

Chrome & Edge

(Chromium-based

browsers)

Windows 10  Windows 11 

Chrome on

macOS and

Linux

Safari 

Google

Play

Services

Chrome on

macOS and

Linux

Safari N/A N/A Safari  Safari  N/A N/A
Firefox Windows 10 Windows 11 Safari  Safari 

Google

Play

Services

Firefox on

Linux

 

On Windows 10 and Windows 11, the FIDO support is provided by a Windows API, and all applications including web browsers must use that support unless they’re run with administrative privileges. 

 

On iOS and iPadOS, the FIDO support is provided by an Apple API, and all web browsers must utilize that support.

On macOS, a FIDO API is provided, but its use is not mandatory:  

  • Safari uses the built-in Apple API
  • Firefox uses the built-in API by default, but that is configurable
  • Chrome does not use the built-in API for hardware security keys

On Android (version 9 or higher), FIDO support may be provided by Google Play Services (version 24 or higher) on devices that have it installed.  

On Linux-based operating systems, there is no system wide API available, so each browser must provide its own FIDO support.

 

Common use cases

When using FIDO on a YubiKey with a web browser to log in to a website or identity provider, there are three distinct flows:

 

  • The first, which is most similar to the original U2F standard, is FIDO as a second factor. This relies on traditional username and password authentication, and then using a YubiKey or similar FIDO device as an MFA factor. This flow is typically used with web sites that have security key support.
  • The second, passwordless, was introduced with FIDO2. It relies on getting the username either by prompting the user or using persistent cookies, and then prompting the user to use their YubiKey with a PIN.
  • The third, usernameless, was also introduced with FIDO2, and has been popularized as passkey logon, where the user only needs to activate their FIDO device using a PIN or biometric, and they can be securely logged into a service.

Additionally, there are two more common use cases:

 

  • Initial PIN setup happens the first time a user encounters a situation that requires use of a PIN. PIN setup must be successful to continue, but it can be done beforehand on a supported operating system or browser.
  • Initial fingerprint setup refers to the first time a user enrolls a fingerprint on a YubiKey Bio Series device. This is optional on YubiKey Bio Series devices, and can be done at any time.  You do not need to use the same browser or device to enroll fingerprints.

Passwordless, usernameless, and initial PIN setup are not supported on U2F-only devices such as the YubiKey 4 Series and the YubiKey NEO.

 

  Windows 10 Windows 11

Chrome on

macOS and

Linux

Safari

Google Play

Services (Android)

Firefox

on Linux

Usernameless 

✅USB

✅NFC

✅USB

✅NFC

✅USB

✅USB

✅NFC
✅Lightning

✅USB

❌NFC

✅USB
Passwordless

✅USB

✅NFC

✅USB

✅NFC

✅USB

✅USB

✅NFC
✅Lightning

✅USB

❌NFC

✅USB
Second Factor

✅USB

✅NFC

✅USB

✅NFC

✅USB

✅USB

✅NFC
✅Lightning

✅USB
✅NFC
✅USB

Initial PIN

 Setup

✅USB

✅NFC

✅USB

✅NFC

✅USB

✅USB

✅NFC
✅Lightning

✅USB

❌NFC

Initial Fingerprint

Setup 

✅USB1 ✅USB2 ✅USB3

 

Feature support

  Windows 10 Windows 11

Chrome on

macOS and

Linux

Safari

Google Play

Services

(Android)

Firefox on

Linux

AlwaysUV

✅USB

✅NFC

✅USB

✅NFC

✅USB

✅USB4

❌NFC

✅USB

Force PIN

Change

✅USB

✅NFC

✅USB

1 Windows 10 allows for the enrollment of new fingerprints, but will not prompt for it automatically.

2 Windows 11 allows for the enrollment of new fingerprints, but will not prompt for it automatically.

3 Chrome on macOS and Linux will prompt for biometric enrollment any time the user registers the YubiKey on a new site if fingerprints aren’t already enrolled.

4 Firefox for Android lacks full support for the AlwaysUV feature