What Is FIDO2 and Why It Matters for Payment Security

If you have ever approved a payment by typing a six-digit code from a text message, you have used SMS OTP — and you may not realise how easy that approval is to fake. Fraud techniques have evolved far beyond what a one-time code can defend against, yet most finance and treasury teams still rely on them for high-value transactions.

FIDO2 is the technical standard that solves this. But because it comes wrapped in acronyms and cryptography, it rarely gets the plain-English explanation that decision-makers actually need.

This guide cuts through the jargon. By the end, you will understand what FIDO2 is, why it matters specifically for payment workflows, and what questions to ask when evaluating whether your organisation is protected.

What is FIDO2?

FIDO2 is an open authentication standard published by the FIDO Alliance — a consortium that includes Google, Apple, Microsoft, and hundreds of financial institutions. Its purpose is to eliminate passwords and shared secrets entirely, replacing them with cryptographic key pairs stored directly on a user's device.

The name "FIDO" stands for Fast Identity Online. The "2" signals the second generation of the standard, which extended the original specification to work across the web via a component called WebAuthn, now a formal W3C standard.

In practice, FIDO2 is what powers passkeys — the login method increasingly offered by banks, enterprise software, and operating systems when they say "sign in with your fingerprint or Face ID." Payment authentication built on FIDO2 takes this same approach and applies it to transaction approvals.

Why the authentication methods you trust are broken

Before understanding why FIDO2 matters, it helps to understand what it is replacing — and why those replacements are not as secure as they appear.

SMS OTP: a false sense of security

SMS one-time passwords feel secure because the code expires quickly and goes to the user's phone. But the phone network was not designed with fraud prevention in mind. SIM-swapping attacks — where a criminal convinces a mobile carrier to transfer your number to their device — require no technical skill. SS7 protocol attacks can intercept SMS messages at the network level. And real-time phishing proxies can relay your OTP to an attacker's transaction within the code's validity window.

Push notification approvals: training users to click

Many banking and treasury systems send a push notification asking users to "approve" a transaction. These notifications typically show "Payment approval request" with no secondary authentication. Security researchers call this "push fatigue" — users see so many approval requests that they click approve reflexively, including on fraudulent ones. This is known as MFA bombing, and it is a primary attack vector against finance teams.

The comparison at a glance

Method	Phishing resistant?	Shows transaction detail?	Can be intercepted?	Regulatory fit
Password	✗ No	✗ No	✗ Yes	Insufficient
SMS OTP	✗ No	✗ No	✗ Yes	Declining
Push notification	✗ No	✓ Yes	Partial	Partial
FIDO2 passkey	✓ Yes	✓ Yes	✓ No	PSD2 SCA compliant

How FIDO2 actually works

The following explanation avoids cryptographic maths entirely. The goal is to build a clear mental model of why FIDO2 is structurally different from what came before.

Think of FIDO2 like a physical padlock with two keys. When you register, your device creates a unique padlock (the public key, shared with the server) and a private key that never leaves your device. When a transaction is initiated, the server sends a challenge containing the exact transaction details. Your device, and only your device, can sign that challenge after you verify your identity with a fingerprint or Face ID.

The server checks the signature against the public key on file. If the maths match, the payment proceeds. Nothing was transmitted that could be replayed or stolen.

Why FIDO2 matters specifically for payments

Generic authentication protects login. Payment authentication is a different problem — and a more consequential one. A stolen login credential can be changed. A fraudulent payment may be irreversible.

Transaction binding: approving a specific payment, not "a payment"

Most authentication tools answer the question "is this person who they claim to be?" Payment authentication must answer a harder question: "is this person knowingly approving this exact transaction?" FIDO2-based payment platforms bind the cryptographic signature to the specific transaction details — amount, currency, recipient, timestamp. If any value changes by even one cent between approval and execution, the signature becomes invalid. This eliminates man-in-the-browser fraud, where malware modifies transaction details after the user clicks approve.

Risk-based authentication: friction proportionate to risk

Not every payment carries the same risk profile. A recurring vendor payment for a familiar amount is low risk. A same-day transfer to a new international beneficiary is high risk. FIDO2-based platforms apply different verification requirements based on a real-time risk score — adding biometric confirmation only when the transaction profile justifies it. Routine approvals flow without friction; high-value or unusual transactions require it.

Device binding: your phone is the security token

Traditional hardware security tokens are issued, tracked, replaced, and lost. FIDO2 uses the secure hardware already inside every modern smartphone — the same chip that protects Apple Pay and Android Pay. Credentials are bound to that specific physical device. Even if an attacker has your password, they cannot approve payments from a different device.

FIDO2 and regulatory compliance

For compliance teams, the question is not only whether FIDO2 is secure — it is whether it satisfies specific regulatory requirements.

PSD2 Strong Customer Authentication (SCA)

The European Payment Services Directive 2 (PSD2) requires Strong Customer Authentication for electronic payments above certain thresholds. SCA demands at least two of three factors: something you know (knowledge), something you have (possession), something you are (inherence). FIDO2 satisfies possession (the registered device) and inherence (biometric verification) simultaneously in a single tap — making it technically the most complete approach to SCA compliance.

Audit trail requirements

Regulators require that every payment approval be traceable — who approved it, from which device, at what time, under what risk context. FIDO2 authentication events produce a rich, tamper-evident log by design. Every signature includes device attestation data, timestamp, and the challenge that was signed, creating a forensic record that answers auditor questions without manual investigation.

GDPR and data minimisation

Because FIDO2 uses device-local biometrics rather than biometric data transmitted to a central server, it aligns with GDPR's data minimisation principle. The biometric never leaves the device, and the server never stores a biometric template — significantly reducing your organisation's data liability compared to centralised biometric systems.

The business case

Technology decisions made by security and compliance teams ultimately need to demonstrate business value. FIDO2 is unusual in that it improves security and improves user experience simultaneously.

For treasury and finance operations, approval speed is operationally significant. Delayed approvals can affect supplier relationships, cash flow timing, and early payment discount eligibility. Reducing approval latency from 60 seconds to under 5 seconds, across hundreds of monthly transactions, is a measurable efficiency gain.

The cost reduction case is also direct. Organisations sending millions of SMS OTPs monthly face substantial telecommunications costs that scale with transaction volume. Device-based authentication removes this cost entirely. Add to that the reduced operational load from automated, machine-readable audit trails and lower fraud investigation volumes, and the business case is straightforward.

Frequently asked questions