Implementing Hardware Security Key Authentication

When to Use

• Deploying phishing-resistant multi-factor authentication (MFA) using FIDO2 hardware security keys for high-value accounts (administrators, developers, privileged users)
• Building a WebAuthn relying party server that supports both roaming authenticators (USB/NFC security keys) and platform authenticators (Windows Hello, Touch ID, Android biometrics)
• Migrating an existing password-based authentication system to support passkeys (discoverable credentials) as a primary or secondary authentication factor
• Enrolling YubiKey devices for an organization's workforce, including PIN setup, credential registration, and backup key provisioning
• Implementing passwordless authentication flows that comply with NIST SP 800-63B AAL3 (authenticator assurance level 3) requirements

Do not use without HTTPS in production (WebAuthn requires a secure origin), for systems where users cannot physically access a USB/NFC port, or as the sole authentication factor without a recovery mechanism for lost keys.

Prerequisites

• Python 3.10+ with fido2 (python-fido2 >= 2.0.0), flask, and cryptography libraries installed
• HTTPS-enabled web server (WebAuthn API requires secure context; localhost is exempt for development)
• FIDO2-compatible hardware security key (YubiKey 5 Series, SoloKeys, Titan Security Key) or platform authenticator
• Modern web browser supporting the WebAuthn API (Chrome 67+, Firefox 60+, Safari 14+, Edge 79+)
• Understanding of public key cryptography, challenge-response protocols, and HTTP session management