FIDO uses several protocols, which changed from the first version in 2013 to FIDO2 in 2018. The specifications for FIDO2 follow. See
FIDO.
UAF
FIDO uses the Universal Authentication Framework (UAF) to select the authentication method, which can be a PIN or biometric (face, finger swipe, etc.).
WebAuthn
FIDO2 supports the World Wide Web Consortium's WebAuthn passkey authentication system, which is built into browsers and operating systems. See
WebAuthn.
CTAP2
The Client to Authenticator Protocol 2 (CTAP2) supports external authenticators (see below) over USB, NFC and Bluetooth. The earlier FIDO Universal Second Factor (U2F) protocol was renamed CTAP1, often designated as FIDO U2F.
How It Works - Public Key Cryptography
When signing up for a passkey, FIDO generates a public/private key pair. The public key is sent to the website, but the private key is never in transit. At login, the server sends the client a challenge, which must be verified with the user's public key. See
public key cryptography and
digital signature.
(Images of external authenticators courtesy of Yubico and CRYPTNOX SA.