FIDO, FIDO2, WebAuthn, passkeys, and security keys are all related but distinct terms. These terms get used interchangeably, and often in the wrong context. Frankly, the naming around passkeys is a bit of a mess. The terms come from different places: a standards body, a web standards organisation, and consumer-facing marketing from platform vendors. That's why they don't map onto each other cleanly, and it leaves the people who just want passkeys on their site confused. Don't feel bad, you're not alone, and here is a quick guide to help you understand what each term means.
The FIDO Alliance is the industry consortium behind the standards. It was founded in July 2012 by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio; Google, Yubico, and others joined in 2013. FIDO stands for Fast IDentity Online, a name that also nods to the Latin fidus (faithful, trustworthy), the same root as the dog name Fido. The Alliance publishes specifications and certifies devices. It's not a product or protocol; it's the organisation that created everything else on this list.
FIDO2 is the current generation of FIDO standards, published in 2018. It covers both the browser API (WebAuthn) and the protocol for communicating with hardware authenticators. When someone says a site "supports FIDO2", they mean it can accept credentials created via this standard.
WebAuthn is the browser-facing part of FIDO2, written by the W3C. It defines the JavaScript API (navigator.credentials.create() and navigator.credentials.get()) that web apps use to register and verify credentials. If you're implementing passkey auth in a web app, WebAuthn is what you're coding against.
Security key is a hardware device that generates and stores cryptographic key pairs on-device. The private key never leaves the hardware. Depending on how a site is configured, they can function as a second factor or as a passwordless credential. People often use "YubiKey" as shorthand for any security key, but YubiKey is a product made by Yubico; other brands exist, like Google's Titan Security Key.
Passkey is the name for a credential that lets you authenticate without a password. It uses FIDO2 as the underlying standard, and WebAuthn to interact with the browser. The term was introduced in 2022 by Apple, Google, and Microsoft and adopted by the FIDO Alliance as the common consumer-facing name for this kind of credential.
A passkey can be stored in several places: a platform credential manager like iCloud Keychain, Google Password Manager, or Windows Hello; a third-party password manager like 1Password or Bitwarden; or a physical hardware security key. The credential works the same way regardless of where it lives; the difference is portability. A passkey in iCloud Keychain is available on all your Apple devices. A passkey on a hardware key stays on that device.
Adding passkeys to your app
Implementing WebAuthn from scratch involves credential storage, challenge generation, signature verification, and more. Several services exist to handle this for you. PlainKey is one of them: it stores passkeys, manages the cryptographic plumbing, and exposes a simple API so you can add passkey support to your app without building or maintaining the underlying infrastructure yourself.