• FIDO (Fast Identity Online) is a set of standards and specifications developed by the FIDO Alliance to provide a solution to replace the traditional password authentication scheme.

• FIDO Security Keys are hardware based secure tokens that support the FIDO specification to secure web service accounts.

• U2F (FIDO1.0) is 2FA (Second Factor Authentication) protocol. Transport layer is USB CCID and NFC

• FIDO2 is a passwordless authentication protocol. Transport layer is USB CCID and NFC

• OATH OTP is a second factor authentication protocol (this is different from FIDO2 protocol). Transport layer is USB CCID

• OpenPGP is an Encryption/Signing protocol. Transport layer is USB CCID

• PIV is a Smart card authentication protocol. Transport layer is USB CCID

• The security key is a physical hardware device used for authentication. The user decides which application they want to use. Our security key offers three authentication methods: OTP, PIV and FIDO.

• Passkey is authentication specific to FIDO2. This enables a passwordless authentication for a user.

• FIDO (Fast Identity Online) is a set of standards and specifications developed by the FIDO Alliance to provide a solution to replace the traditional password authentication scheme.

• FIDO Security Keys are hardware based secure tokens that support the FIDO specification to secure web service accounts.

Traditional Password authentication schemes have some security and usability issues. Using simple passwords across multiple sites will create security risks such as phishing and MITM (man in the middle) attacks. Using complex passwords can also bring usability issues and cause frequent password resets. FIDO Security Keys utilize public key cryptography (PKC) to provide a secure authentication scheme to online accounts. The security key will create a new set of access key pairs to enhance the security.

• Max resident keys supported is 32 -
  This means your security key can store up to 32 user accounts total across all websites or services that support passwordless login (like Microsoft, Okta, Google, etc.).

• Maximum number of resident keys per relying party is only 10 -
  For any single website or service, you can store up to 10 user accounts.

A general overview for securing most FIDO/u2f and FIDO2 accounts/applications has you log into the account/application using your current method (typically, username and password). Then proceed to account settings/security. You then would select multi-factor authentication and choose set-up security keys. Applications have varying steps. You can find more application specific instructions by clicking on the “view docs” button on our Works with uTrust FIDO page.

Best practice is to have at least two keys. One key as a primary key and the second key as a backup key, so that you are not locked out of the accounts you set up.

The keys will work with macOS devices. You just need to confirm that you have the right connector (USB A, C or NFC) on your device. You also need to ensure that the application you are using is a FIDO/u2f or FIDO2 certified application.

No. Neither option is necessary as one key will work with multiple applications as long as they are FIDO/u2f or FIDO2 certified applications. You can also use one key on multiple devices as long as the connectivity is available (USB A, USB C or NFC) depending on the model key you are using. Best practice is to have at least two keys. One key as a primary key and the second key as a backup key so that you are not locked out of the accounts you set up.

You do not register the key with Hirsch. You will register the key for use with your Bank of America application, or any other FIDO compatible application (i.e., Google Suites, Microsoft Accounts, Salesforce…). Here is a link to get you started https://www.bankofamerica.com/security-center/online-mobile-banking-privacy/usb-security-key/ Below are some instructions I have outlined as well. Please note that this is for http://BofA.com and may be slightly different if you are outside the US. To register your key with Bank of America:

• Log into your BofA account on the website

• Go to Profile & Settings > Security Center

• Scroll to and select “Enhance your two-factor authentication” and make sure this is turned “On”

• Scroll down to “Increase your device security” and find “Additional security features” and click on “Review”

• You will see “USB Security Key” and click on “Add or Edit”

From here please follow the instructions as you may have to contact Bank of America to obtain a security code to add/remove keys. Bank of America is the only application where I have seen that you must contact a provider directly to register the key here in the U.S. Typically, this is an automated process.

No, uTrust Keys cannot be duplicated due to their secure hardware design. However, you can register multiple uTrust keys with the same account to serve as backups.

No, you do not have to do any installation, neither on computer, nor on tablet, nor on a smartphone.

This typically depends on the account/application you are using. Best practice is to have at least two keys. One key as a primary key and the second key as a backup key so you are not locked out of the accounts you set up. Some accounts/applications have a series of emergency one-time access codes that you can store somewhere safely. Other accounts/applications offer authentication through a series of steps to validate that you are you.

It will work with any iPhone using NFC. Most of the newer iPhones have NFC connectivity.

Yes, the uTrust FIDO2 keys are compatible with Microsoft Azure and can be found on the Azure support website here.

Yes, uTrust FIDO2 Security keys will work with Apple ID to provide extra protection against phishing attacks. You can use it with USB A, USB C or NFC connectivity depending on your device compatibility.

No. Hirsch is an U.S. company and the keys are Trusted American Act (TAA) compliant.

The uTrust FIDO2 keys are not waterproof; however, they are water resistant. If the key is exposed to moisture, you need to make sure the key is thoroughly dry before continuing to use it. Extra caution should be taken with the USB Type-C model because the connector has a hollow middle that can hold in moisture.

When you register the key with an application for the first time you set a PIN. This makes it 2-factor, the key being one factor of something you have, and the PIN being a second factor of something you know.

No, you have the option to add and remove keys to your accounts/applications at any time.

Yes, you need to close the keyboard assistant window to skip this step and the key will work with your Mac device.

No, the keys do not need to be configured with the uTrust Key Manager before they are used. For new keys, FIDO applications will typically ask that you set your PIN first before proceeding.

Yes. We have macOS support for the uTrust FIDO2 Security Key Manager on our roadmap.

Supported browser: Edge - Windows - FIDO2 Chrome - (Windows / Mac / Linux) - FIDO2 & U2F Firefox - (Windows / Mac / Linux) - FIDO2 & U2F Opera - (Windows / Mac / Linux) - FIDO2 & U2F Safari - MacOS/iOS - FIDO2 & U2F

Yes, as long as your Chrome OS is up to date, you are using a supported browser, and your Chromebook has a USB slot.

Not for FIDO registration. Users self-register FIDO keys with each service and can use the same key for multiple services. You can pre-configure user PIV certificates if you so chose.

It is based on free, open standards from the FIDO Alliance, Fast IDentity Online (FIDO) authentication enables password-only logins to be replaced with secure, fast login experiences across websites and apps. This is accomplished by using standard public-key cryptography to provide strong authentication and leave zero data at rest.

FIDO U2F is an open standard that provides added security and simplifies Universal 2-Factor (U2F) authentication.

FIDO2 is the term for FIDO Alliance’s newest set of specifications. FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments. The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).

The FIDO Alliance publicly launched early in 2013 with six member companies. Since then, the Alliance has grown to include over 250 members worldwide. FIDO website: FIDO Alliance: Reducing Reliance on Passwords.

During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user inserting a uTrust FIDO2 Security Key or pressing the NFC button on the security key.

The FIDO Alliance developed its FIDO2 specifications with the W3C to enable FIDO authentication capabilities to be built into a wider array of devices, platforms, and web browsers. FIDO2 is currently supported in Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari (MacOS) web browsers, as well as Windows and Android platforms.

A security key is a physical device that you can use instead of your username and password to authenticate to FIDO-compatible applications. Since it is used in addition to a PIN, even if someone has your security key, they will not be able to sign in without the PIN that you registered on the key.

Yes. uTrust FIDO2 Security Keys support FIDO U2F and FIDO2. We can also support PIV and TOTP/HOTP protocols.

See what https://www.hirschsecure.com/fido-listing and be sure to check back as we are continually adding applications to the list.

Yes. All uTrust FIDO2 Security Keys support both USB (contact) and NFC (contactless) authentication.

FIDO takes a “lightweight” approach to asymmetric public-key cryptography, which offers service providers a way to extend the security benefits of public-key cryptography to a wider array of applications, domains and devices — especially where traditional PKI has proven difficult or impossible. FIDO is not a replacement for PKI but rather complements it, enabling a greater number of users and applications to be protected using asymmetric encryption. This is especially important in situations where the alternative has been username and password.

No. FIDO Alliance only specifies standards for strong authentication and tests implementations for compliance to those standards; the Alliance does not provide services or equip devices or sites. Device manufacturers, online service providers, enterprises, and developers use the FIDO specifications to build products, provide services, and enable sites and browsers with FIDO authentication. Under FIDO specifications, the user’s credentials must remain on the user’s device and they are never shared with a provider or service.

No. This type of information exchange is prevented with FIDO authentication. Each device/website pairing requires separate registration and a separate cryptographic key pair. Once registered, a user can easily authenticate to multiple sites from the same device, yet each site has no knowledge of the user interactions with other sites. FIDO does not introduce any new tracking mechanism that could be used to correlate user activity online.

Unlike current password-based authentication models that have proven vulnerable to mass-scale attacks and fraud, FIDO authentication credentials are never shared or stored in centralized databases. FIDO credentials are known and maintained only by the user’s own device. All that is ever stored by the service provider are the public keys paired to the user’s device where the private keys are stored. This security model eliminates the risks of phishing, all forms of password theft, and replay attacks. A would-be attacker would need the user’s physical device to even attempt a hack (see below for more information). The password ecosystem has afforded attackers with great return on investment with relatively limited risk; the FIDO ecosystem is far more difficult, expensive, and risky for attackers to profit from.

No. FIDO Alliance only specifies standards for strong authentication and tests implementations for compliance to those standards; the Alliance does not provide services or equip devices or sites. Device manufacturers, online service providers, enterprises, and developers use the FIDO specifications to build products, provide services, and enable sites and browsers with FIDO authentication. Under FIDO specifications, the user’s credentials must remain on the user’s device and they are never shared with a provider or service.

No. In order to break into an account, the criminal would need not only the user’s device that was registered as a FIDO authenticator to the account but also the ability to defeat the user identification challenge used by the authenticator to protect the private keys, such as a username and PIN or a biometric. This makes it extremely difficult to break into a FIDO-enabled account.

If you have already purchased a uTrust FIDO2 Security Key, setting up and using your new security key for web-based FIDO2 authentication is as easy as 1-2-3. Get Started

you can find the list here: https://www.hirschsecure.com/fido-listing

FIDO U2F is the oldest of the two FIDO standards (2014) developed by the FIDO Alliance. FIDO U2F is a second factor of authentication : U2F stands for Universal 2nd Factor. This method enables the user to access an IT resource (a computer, smartphone, website, application, etc.) after presenting two separate proofs of identity to an authentication mechanism. This is a two-factor identification (2FA) method, also called double authentication.

FIDO2 is a more recent authentication method (end 2019). It replaces the login/password pair + second authentication factor with a PIN code, more secure than a password. The PIN code is not transmitted to online services. It is stored locally on the security key. In the case of the security key, you will need to insert it into your device's USB port, enter your PIN code and press the key's button to authenticate yourself.

Go to Windows settings => click on “Accounts” => then on “Connection options” => select “Security key” => click on “Manage” => insert your security key into the USB port => touch the button of your security key => at the top of the window that appears, in the box dedicated to “Security key PIN”, click on “Add”, then follow the instructions.

Alternative you can use Hirsch uTrustKeyManager Tool: uTrust Key Manager Software - Hirsch

WebAuthn defines how websites and browsers request and use credentials, while CTAP 2.1 defines how browsers/OS talk to authenticators (like keys or biometrics). Together, they enable secure, phishing-resistant logins.

FIDO2 keys can be used with NFC protocol when paired with a contactless reader.

Passwordless login is achieved by proving possession of the unique private key in the security key. This private key is what proves the user identity to the application in use.

Platform authenticators are built into the client device (e.g., fingerprint sensor), while roaming authenticators are external devices (e.g., USB security keys) that connect to the client device.

The Relying Party is the application or service that requests authentication and relies on the credentials provided by the authenticator via the WebAuthn API.

CTAP defines how a client device communicates with authenticators to perform operations like key creation and assertion generation.

The WebAuthn API enables applications to interact with authenticators, such as Windows Hello or FIDO2 security keys, to perform passwordless authentication on Windows devices.

NFC/NFC+ model supports CTAP 2.0

GOV model supports CTAP 2.1

CTAP 2.1 builds on 2.0 by adding stronger PIN enforcement, enterprise attestation, improved discoverable credential handling (passkeys), and better user verification control, making it more secure and enterprise friendly.

CTAP2.0 Spec: FIDO Technical Glossary

CTAP2.1 Spec: Client to Authenticator Protocol (CTAP)

UV is a process that ensures the person using the authenticator is the legitimate user. It typically involves a PIN, or pattern stored securely on the authenticator.

1. User Presence (UP): Confirms someone touched or activated the device—simple confirmation.

2. User Verification (UV): Authenticates the user’s identity via PIN or biometrics, providing stronger security.

Not always. UV can be optional or required, depending on the relying party’s policy. CTAP 2.1 allows authenticators to enforce UV consistently across operations.

Not always. UV can be optional or required, depending on the relying party’s policy. CTAP 2.1 allows authenticators to enforce UV consistently across operations.

It ensures that even if a phishing site tricks a user, the authenticator won’t release a valid assertion to the wrong origin.

FIDO User Authentication Specifications | FIDO Alliance

FIDO2 keys do not store passkeys in a transferable way between devices. Each key generates its own unique key pair for each account (per the FIDO standard). If a user wants multiple keys for the same account, you must register each key separately with the service. Passkeys on a FIDO2 security key cannot be directly stored in Samsung Vault because they reside securely on the key itself. Samsung Vault is for device-stored credentials; FIDO2 keys are external hardware authenticators, and the private keys never leave the device.

NFC FIDO refers to FIDO2 security keys that use Near Field Communication (NFC) to communicate wirelessly with compatible devices, such as smartphones, tablets, or laptops. Instead of plugging the key into a USB port, the user simply taps the key against the NFC-enabled device to authenticate.

Yes, your FIDO2 security key is cross-platform compatible. FIDO2 credentials are tied to the specific account rather than the operating system. As long as the service or website supports FIDO2/WebAuthn on macOS, you can use the same key to authenticate. You may need to register the key with the service again on the new device if the platform enforces device-specific credential registration.

Device-bound passkeys: These are stored only on a single device. They cannot be accessed or used from other devices unless the key itself is physically present. This provides strong security, as the credentials never leave the device.

Synced passkeys: These are synchronized across multiple devices (e.g., via iCloud Keychain, Google Password Manager, or similar services). They allow you to use your passkey on any linked device without re-registering, but the credentials are stored in a way that enables cloud syncing.

uTrust FIDO Security are device-bound passkeys which maximize local security, while synced passkeys prioritize convenience across devices.

• The security key is a physical hardware device used for authentication. The user decides which application they want to use. uTrust security key offers three authentication methods: OTP, PIV and FIDO.

• Passkey is authentication specific to FIDO2. This enables a passwordless authentication for a user.

Yes. A uTrust FIDO2 Key can be used to create passkeys when registering with services that support FIDO2/WebAuthn. During registration, the key generates a unique public-private key pair for the account. The private key stays securely on the key, while the public key is shared with the service. This ensures a secure, phishing-resistant passwordless login.

A passkey is a digital credential based on the FIDO2/WebAuthn standard that allows secure, passwordless authentication. It consists of a public-private key pair, where the private key stays securely on your device or security key, and the public key is stored with the service.

More on passkey: Passkeys: Passwordless Authentication | FIDO Alliance

1. navigator.credentials.create() → For registration (new credential).

2. navigator.credentials.get() → For authentication (assertion request).
   Both rely on the PublicKeyCredential interface defined in the spec (Web Authentication: An API for accessing Public Key Credentials - Level 2).

1. Discoverable (resident) credentials: Stored inside the authenticator, allowing username-less login.

2. Server-side credentials: Stored by the server, requiring credential IDs during login.

Each credential is an asymmetric key pair. The private key never leaves the authenticator, guaranteeing hardware-backed security.

Credentials are bound to a Relying Party ID (RP ID) and the web origin. This ensures a credential created for example.com cannot be used on attacker.com.

Attestation in WebAuthn is a cryptographic process used during credential creation to prove the origin and integrity of the authenticator and the credential it generates. This is done by including an attestation statement within the attestation object, which is signed by a device-specific or manufacturer-level attestation key (Web Authentication: An API for accessing Public Key Credentials - Level 2).

The attestation object includes two key parts:

1. authData, which contains authenticator-specific data including the AAGUID (Authenticator Attestation GUID), credential ID, public key, etc.

2. attStmt (the attestation statement), which is a signature over authData and client data by the authenticator's attestation key.

The AAGUID is an identifier that uniquely denotes the authenticator’s make and model, not any individual device instance. It allows relying parties (RPs) to categorize the type of authenticator being used (White Paper: FIDO Attestation: Enhancing Trust, Privacy, and Interoperability in Passwordless Authentication | FIDO Alliance).

In short:

• Attestation provides cryptographic assurance that credentials originate from a genuine authenticator.

• AAGUID helps identify the authenticator model and informs policy decisions but must be backed by correct attestation validation to ensure security integrity.

During login, select the option for Security Key, Passkey, or FIDO2 Authentication.

Insert or connect your key, then complete the required user action—such as touching the key or PIN prompt.

Reference: Register a passkey (FIDO2) with a FIDO2 security key - Microsoft Entra ID | Microsoft Learn

During registration, services may prompt you to set a PIN when User Verification (UV) is enforced.

It is good practice to setup user PIN when you have received your new FIDO2 Keys and this can be done through Hirsch uTrustKeyManager Tool: uTrust Key Manager Software - Hirsch

Common errors like "Looks like your browser is not compatible with WebAuthn" or timeouts typically indicate browser or connectivity issues.

Try switching to supported browsers like Chrome, Firefox, Edge, or Safari.

If the system doesn’t recognize your key (“Doesn’t look familiar” or “Found no credentials”), you may need to register it first.

Time-outs often mean you didn’t interact (touch or insert key) quickly enough during prompt.

Other causes may involve device or network connectivity.

1. Make sure the key is inserted correctly (not upside down for USB-A) and that the port works.

2. A flash or no LED can signal a power or hardware issue—test on another port or device.

3. Alternatively, check with the Hirsch uTrustKeyManager Tool to confirm the key’s FIDO2 support, model, and firmware.

uTrustKeyManager Tool Download: uTrust Key Manager Software - Hirsch

• Security Key Not Recognized –

  • Cause: Key not inserted properly, driver issues, or unsupported protocol.

  • Fix: Reinsert the key, check for firmware updates, or try a different port.

• User Verification Failure –

  • Cause: Incorrect PIN or user didn’t touch the key.

  • Fix: Retry with correct PIN or biometric; ensure touch is performed.

• Duplicate Credential Error –

  • Cause: Trying to register the same key multiple times for the same account.

  • Fix: Remove the old credential or use a different key.

• Timeouts –

  • Cause: User takes too long to respond or touch the key.

  • Fix: Retry quickly and ensure the key is ready.

You insert your PIV smart card or compatible token into a reader. Enter your PIV pin when your system prompts for your PIN.

Hirsch uTrust Products that support PIV:

1. NFC+

2. GOV

Use uTrust KeyManagerTool (supports NFC+ and GOV) or your organization’s PIV software. These allow changing PIN, PUK, and management key—commonly enforced during initiation.

uTrust KeyManagerTool: uTrust Key Manager Software - Hirsch

The PIV application becomes blocked, preventing further PIN-based operations until it's unblocked with the PUK.

• PIN retry count: 6 

• PUK retry count: 6  

You can find more on PIN and PUK here:uTrust Key Manager Software User ManualPreview

Expired certificates typically require visiting your issuer’s office or lifecycle workstation for renewal or re-issuance.

1. Reinsert and ensure proper orientation.

2. Try a different reader.

3. For Windows, ensure PIV drivers or middleware are installed.

4. If unresolved, contact your issuing office or help desk.

Begin the re-registration process via your service portal. It may involve verifying your identity through a one-time code or email before linking to your account.

More info: How to Handle a Re-issued PIV or CAC Card

PIV is a smart-card-based credential widely used by U.S. federal agencies for both physical and logical access, supporting authentication, digital signing, and encryption based on PKI.

Report it immediately to deactivate access and wipe certificates remotely and a temporary badge is typically issued.

Try reinserting the card, using a different reader, or contacting the badging office for assistance.

1. Smart Card is blocked: This occurs after too many incorrect PIN attempts. You’ll need to visit a badging office (e.g., CMS) to reset your PIN.

2. System cannot log you on: Often appears when the system lacks sufficient information to validate your PIV authentication certificate. Contact IT support.

A great source to learn about PIV: Personal Identity Verification Card 101 - IDManagement

Currently, it doesn’t support FIDO2/PIV card. If you are interested in testing out the PIV certificate loading, you can use Hirsch uTrust Mini Driver: hirschsecure.com/utrust-minidriver

HOTP tokens don’t rely on time synchronization, making them faster and more reliable for methods like SMS or email where time delays are unpredictable.

Use uTrust KeyManagerTool to configure:

• Applications → Select OTP → Enter OTP Secret Key → Click Finish

Now your uTrust FIDO2 Key is configured to be used as HOTP device.

Hirsch uTrust KeyManagerTool: uTrust Key Manager Software - Hirsch

1. No expiration: OTP remains valid until used, increasing exposure risk.

2. Counter desynchronization: Missed validations may shift counters out of sync.

HOTP is event-based (counter increments per event), while TOTP is time-based—the OTP changes every set interval (e.g., 30 seconds)

It uses a shared secret key plus a counter value. The HMAC of the key and counter is truncated to produce a 6- to 8-digit OTP according to RFC 4226

RFC4226: RFC 4226: HOTP: An HMAC-Based One-Time Password Algorithm

HOTP means HMAC-based One-Time Password and is a part of the Open Authentication (OATH) initiative.

More info on OATH: Specifications & Technical Resources | OATH Universal Authentication

uTurst FIDO2 security key comes with HOTP support straight out of the box.

Once your uTrust FIDO2 security key is touched, you should notice that on each touch it spits out 6-digit number.

For example:
755224
287082

The HOTP seed (or secret key) is a critical piece of information that allows your device or app to generate one-time passwords that match the server’s authentication system. You cannot create it yourself—it must come from the service or organization where you’re enabling HOTP authentication.

Alternatively, if you are purchasing from Hirsch. We can provide you with HOTP secret or seed.

Contact Sales: Contact Hirsch to Speak to an Expert Today

The default configuration is 6-digit HOTP.

Which means the security key is configured to HOTP standard and it can generate 6-digit security code.

The public key encrypts messages and verifies signatures, while the private key decrypts messages and creates signatures.

Use GnuPG to generate a key pair and then transfer the subkeys to your uTrust GOV key for secure storage.

Use your PGP tool or email client to export your public key, which you can then share with others.

You need to revoke your public key and notify other users that this key is no longer useful.

More info: gnupg - How the correct way to revoke GPG on key server? - Stack Overflow

uTrust GOV keys can store PGP keys securely, allowing for encryption and decryption operations.

PGP is used for email encryption and signing, while PIV (Personal Identity Verification) is primarily for authentication purposes.

uTrust GOV security keys support OpenPGP applets, allowing for the storage and management of PGP keys for encryption and signing tasks.
You can use GPG tool to import keys to uTrust GOV security keys.

Yes, uTrust GOV security key uses secure elements to store private keys, making them resistant to extraction and unauthorized access.

It's recommended to generate the private key externally and then transfer subkeys to the uTrust GOV key to facilitate backups.

Use tools like GPG Suite to configure uTrust GOV Keys for PGP encryption on macOS systems.

No, you will have to use GnuPG tool suite for using PGP on uTrust GOV Keys.

No, uTrust KeyManagerTool only supports FIDO, PIV and OTP applets.

You can follow this linux guide: https://docs.releng.linuxfoundation.org/en/latest/gpg.html

Your PGP private key never leaves the secure element. A secure element is a tamper-resistant microchip embedded in the hardware key.

• User PIN retry count: 3

• Admin PIN retry count: 3

The PGP PIN can be blocked. This happens when the wrong value is entered too many times in a row.  

When a PIN is blocked, you cannot perform any operations that require the user PIN (e.g., signing or decrypting)

While PGP is designed for encrypting emails and files, technically, you could encrypt any text, including a Wi-Fi password. However, it's not the intended use, and there are more straightforward methods for securing your Wi-Fi credentials.

uTrust FIDO2 GOV keys support PGP.