FIDO2 Authentication with WebAuthn for Secure Access

Overview

This page explains the security role of FIDO2 / WebAuthn in UnoLock.

UnoLock uses FIDO2 / WebAuthn to authenticate access keys securely without relying on traditional passwords. That gives UnoLock phishing-resistant, public-key based authentication for Safe access while keeping the authenticator's private key on the user's device or hardware key.

For the customer-facing explanation of access keys, passkeys, hardware keys, and multi-device use, see Access Keys & Safe Access.

What FIDO2 / WebAuthn Provides

• Public-key authentication: UnoLock verifies signed challenges using a registered public key instead of a reusable password.
• Private key isolation: the authenticator keeps the private key on-device or in dedicated hardware.
• Origin binding: WebAuthn is tied to the correct origin, which helps prevent phishing.
• Local biometric mediation: when biometrics are used, the biometric check stays local to the authenticator or device.

How It Works in UnoLock

At a high level:

1. A user registers an access key for a Safe.
2. The authenticator creates or exposes a WebAuthn credential.
3. UnoLock stores the public-key side needed for verification.
4. During Safe access, the authenticator signs a challenge.
5. UnoLock verifies the response and allows the authenticated operation to continue.

Security Properties

• Passwordless authentication: no reusable password secret is transmitted or stored for login.
• Phishing resistance: origin-aware challenge signing makes credential phishing materially harder.
• Replay resistance: challenge-response authentication reduces replay risk.
• Hardware-backed protection: dedicated authenticators such as YubiKeys can harden key protection.
• Biometric privacy: UnoLock does not receive or store fingerprint or face data.

Why It Matters

FIDO2 / WebAuthn strengthens UnoLock’s security model by replacing weak shared-secret authentication with device-bound or hardware-bound authenticators. This reduces exposure to:

• stolen-password attacks,
• phishing,
• credential stuffing,
• replay of intercepted credentials.

It also supports a stronger access-control model because each person can authenticate with their own registered access key rather than sharing one secret.

Scope in UnoLock

FIDO2 / WebAuthn secures authentication. It is one part of a larger system that also includes:

• encrypted Safe data storage,
• per-user access keys,
• Space-level permissions,
• recovery and continuity controls such as Lockout Guard.

FAQs

What is the difference between FIDO2 / WebAuthn and an access key?

FIDO2 / WebAuthn is the authentication standard and protocol. An access key is the user-facing credential registered in UnoLock, such as a passkey or hardware key, that uses that security model.

Can UnoLock access my biometric data?

No. Biometric checks happen locally on the device or authenticator. UnoLock does not receive or store biometric data.

Does this page explain how users access the same Safe from multiple devices?

Not in detail. That topic is covered in Access Keys & Safe Access.

Related Pages

• Access Keys & Safe Access
• Biometric and FIDO2 Access
• Spaces
• Shared Spaces
• Lockout Guard

---