I'd like to try to answer some common questions I see here:
- Q: Doesn't passwordless mean single factor? Isn't that insecure?
A: It could mean single- or two-factor. FIDO2 and the new YubiKeys support an on-device PIN that isn't shared with the server, like conventional smart cards. This allows the key to act as both "something you have" (the key itself) and "something you know" (the PIN for the key). The PIN is optional, though, so both the single factor and two factor use cases are possible.
- Q: Is this Azure/Windows/AD only?
A: This post highlights the partnership with Microsoft and the integration with their products, but FIDO2 is not Microsoft-only (and Yubico will not be the only key vendor). CTAP2, once finished, will be published as an open standard like U2F, and the accompanying Web Authentication API [1] (WIP) is an OS-agnostic W3C standard enabling the same features in browsers.
[1]: https://www.w3.org/TR/webauthn/
- Q: Will I need a new YubiKey?
A: For passwordless (PIN) login, yes. However, existing YubiKeys with U2F support will be usable as a 2nd factor in Web Authentication, and sites that currently use U2F can upgrade to using the Web Authentication API without needing their users to re-enroll their keys.
Full disclosure: I'm a Yubico engineer and one of the editors of the Web Authentication spec.
Do you have any plans to release server code (I'm mainly concerned about PHP) for CTAP2/WebAuthn support? I really appreciated having access to a reference implementation to handle the data from the client for U2F. CTAP2 looks significantly more complex, and I'm somewhat worried about complexity of implementing it correctly based on the spec.
https://github.com/Yubico/libfido2