Many people use WebAuthn and FIDO2 interchangeably, but they are not the same. If you are trying to understand passkeys, the difference matters.
The one-line relationship
FIDO2 = WebAuthn + CTAP
- FIDO2 is the umbrella project / overall standard.
- WebAuthn is the web browser API part of FIDO2.
- CTAP (Client to Authenticator Protocol) handles communication with hardware keys and external devices.
Detailed comparison
| Aspect | FIDO2 | WebAuthn |
| --- | --- | --- |
| Scope | Full framework / project | Specific web API |
| What it is | Umbrella standard for passwordless, phishing-resistant authentication | The JavaScript API websites and web apps use |
| Developed by | FIDO Alliance + W3C | W3C Web Authentication Working Group (with FIDO) |
| Key components | WebAuthn + CTAP2 | Browser-side API only |
| Main purpose | Strong authentication across web, mobile, hardware | Let websites create and use public-key credentials |
| Developer code | Rarely direct | Yes — navigator.credentials.create() and .get() |
| Works with | Browsers, OS, hardware keys, platform authenticators | Primarily web browsers (and some native apps via WebView) |
| Origin binding | Enforced through the full system | Core mechanism that provides phishing resistance |
| Current version | FIDO2 (ongoing) | WebAuthn Level 3 (Candidate Recommendation, May 2026) |
| Passkeys | Passkeys are built on FIDO2 | Passkeys are managed via the WebAuthn API |
Simple analogy
FIDO2 is the entire electric car ecosystem: battery, motor, software, charging protocol.
WebAuthn is the dashboard and steering wheel — what the driver (the website) actually interacts with.
CTAP is the wiring and connectors that let the car talk to external parts, like a roaming security key.
Why this matters for security & scam protection
WebAuthn is where the powerful origin binding happens. This is the feature that makes passkeys refuse to work on fake or phishing websites.
FIDO2 is the broader set of standards that makes the whole system work across devices: phone, laptop, hardware keys, and so on.
When people say "Use FIDO2 passkeys," they almost always mean using WebAuthn in the browser with a FIDO2-compliant authenticator.
Real-world usage in 2026
- Websites implement WebAuthn.
- Users and devices use FIDO2-compliant authenticators: platform passkeys or hardware keys.
- WebAuthn Level 3 adds Related Origin Requests, better cross-device support, and the Signal API — all still within the FIDO2 framework.
Bottom line
- Use FIDO2 when talking about the overall technology or standard.
- Use WebAuthn when talking about the actual browser API developers use to implement passkeys.
- You cannot have FIDO2 without WebAuthn, but WebAuthn is only one piece of the full FIDO2 vision.
For GACS readers, the most accurate phrase is: "FIDO2 passkeys (powered by the WebAuthn API and its origin binding)."
Combine passkeys with the habit of running unfamiliar URLs through the free GACS Safe Scanner and you remove the two most common attack vectors: phishing pages and weak login credentials.
GACS is advisory-only and free forever. If anyone claiming to be from GACS asks you for a seed phrase, recovery fee, or passkey export, report them — that's the scam.