FIDO2 (Fast Identity Online 2) is a family of open authentication standards designed specifically to enable strong, phishing-resistant, passwordless authentication. It combines the WebAuthn standard (for browsers and web applications) with the CTAP protocol (for communicating with authenticators such as security keys). Vendors like Microsoft explicitly describe Windows Hello and FIDO2 security keys as passwordless sign-in mechanisms, and Yubico likewise highlights FIDO2 support on YubiKey devices for passwordless and multi-factor authentication.
Zscaler’s identity-related documentation and partner guides reference FIDO2 and passwordless methods such as Windows Hello for Business and FIDO2-based passkeys as modern options that integrate with identity providers (e.g., Microsoft Entra ID / Azure AD) and can be used for Zscaler authentication flows.
By contrast, SCIM is a provisioning standard for user and group lifecycle management, not an authentication protocol. OpenID (and OpenID Connect) and SAML are federation and SSO protocols that typically still rely on passwords or existing credentials at the identity provider, even though they may be used alongside MFA. Only FIDO2 is purpose-built for secure, hardware- or device-bound, passwordless authentication with biometrics or secure PINs, which is exactly what the question describes with examples like Windows Hello and YubiKey.
===========
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit