implementing-hardware-security-key-authentication

# Implementing Hardware Security Key Authentication ## When to Use - Deploying phishing-resistant multi-factor authentication (MFA) using FIDO2 hardware security keys for high-value accounts (administrators, developers, privileged users) - Building a WebAuthn relying party server that supports both roaming authenticators (USB/NFC security keys) and platform authenticators (Windows Hello, Touch ID, Android biometrics) - Migrating an existing password-based authentication system to support passkeys (discoverable credentials) as a primary or secondary authentication factor - Enrolling YubiKey devices for an organization's workforce, including PIN setup, credential registration, and backup key provisioning - Implementing passwordless authentication flows that comply with NIST SP 800-63B AAL3 (authenticator assurance level 3) requirements **Do not use** without HTTPS in production (WebAuthn requires a secure origin), for systems where users cannot physically access a USB/NFC port, or as the sole authentication factor without a recovery mechanism for lost keys. ## Prerequisites - Python 3.10+ with `fido2` (python-fido2 >= 2.0.0), `flask`, and `cryptography` libraries installed - HTTPS-enabled web server (WebAuthn API requires secure context; localhost is exempt for development) - FIDO2-compatible hardware security key (YubiKey 5 Series, SoloKeys, Titan Security Key) or platform authenticator - Modern web browser supporting the WebAuthn API (Chrome 67+, Firefox 60+, Safari 14+,...