# FIDO2 authentication

**FIDO2** is a passwordless authentication standard from the FIDO Alliance and the W3C. It provides strong, phishing-resistant sign-in for web applications and online services.

If your deployment uses FIDO2, you can register authenticators in SelfService and enable FIDO2 for login flows in OpenIAM.

{% hint style="info" %}
FIDO2 works only over **HTTPS**.
{% endhint %}

### Manage authenticators

{% stepper %}
{% step %}

### Open authenticator management

Open **SelfService** and go to the **Self Service Center**. From there, you can add, rename, or delete authenticators.

<figure><img src="/files/c19237f77461ff39c6b7b8fe9749695b8e26f359" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Add a new authenticator

<figure><img src="/files/007f91e50b4d128be181538a700d2763706ee6e5" alt=""><figcaption></figcaption></figure>

When the browser prompt appears, touch your security key or complete the prompt on your FIDO2 device.

<figure><img src="/files/61271c8275841e1f513730016e7bc9bea11606a9" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Rename or delete an authenticator

After registration, you can rename the authenticator to make it easier to identify later. You can also delete old authenticators that are no longer in use.

<figure><img src="/files/c88221b8d25931aa6f7e6afd75974e7c48f42525" alt=""><figcaption></figcaption></figure>
{% endstep %}
{% endstepper %}

### Configure OpenIAM to use FIDO2 authentication

To enable FIDO2 login, sign in to the **Webconsole** and open the relevant content provider.

{% stepper %}
{% step %}

### Open the target content provider

Open the content provider that should use FIDO2. Then update the default authentication rule to use the **FIDO** authentication method.

<figure><img src="/files/150db1415c7452651c8912dc1a4198fc21bcce84" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Create a new authentication configuration

If you do not want to use the default rule, create a custom authentication configuration instead.

<figure><img src="/files/8c240e9b0b80dfd46270d81a5d93bce79dba4296" alt=""><figcaption></figcaption></figure>
{% endstep %}
{% endstepper %}

### Sign in with a FIDO2 authenticator

After you save the configuration, OpenIAM prompts the user for the registered FIDO2 authenticator during sign-in.

![](/files/cd73142ad37ca954c02907b880ed135d3bedc233)

![](/files/fa75f718d22a49c370a4bb986035ccd093772d29)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs-beta.openiam.com/configuring-multi-factor-authentication/fido2-authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.