WebAuthn/FIDO2 Error — Passkey and Security Key Authentication Failures
About WebAuthn/FIDO2 Error
Fix WebAuthn and FIDO2 authentication errors when passkeys, security keys, or biometric authentication fail during website login. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: WebAuthn (Web Authentication) is the browser API for passwordless login using FIDO2 credentials. It supports passkeys (synced), platform authenticators (fingerprint, face), and roaming authenticators (USB keys). Passkeys sync across devices via iCloud Keychain (Apple), Google Password Manager, or Windows Hello. WebAuthn requires HTTPS and the relying party ID (domain) must match the website domain. Browser support: Chrome 67+, Firefox 60+, Safari 14+, Edge 18+ — but feature levels vary. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Relying party ID (rpId) does not match the website domain or a valid subdomain. User cancelled the authenticator prompt or biometric check failed. Security key not supported — wrong protocol (FIDO U2F instead of FIDO2) or unsupported transport. Passkey created on a different device and not yet synced to the current device. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Check the error type: NotAllowedError (user cancelled), InvalidStateError (credential exists), SecurityError (domain mismatch). Verify rpId matches the website domain: rpId 'example.com' works on example.com and sub.example.com. For passkeys: ensure the user's passkey provider (iCloud, Google) is synced on the current device. For security keys: ensure the key supports FIDO2/WebAuthn (not just FIDO U2F for some operations). Provide fallback authentication (password, OTP) when WebAuthn fails. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our Browser Errors collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
What is the difference between passkeys and security keys?
Passkeys are FIDO2 credentials that sync across devices via a cloud provider (iCloud, Google). Security keys are physical devices (YubiKey, Titan) that store credentials locally on the hardware. Passkeys are more convenient; security keys are more secure.
Overview
Fix WebAuthn and FIDO2 authentication errors when passkeys, security keys, or biometric authentication fail during website login.
Key Details
- WebAuthn (Web Authentication) is the browser API for passwordless login using FIDO2 credentials
- It supports passkeys (synced), platform authenticators (fingerprint, face), and roaming authenticators (USB keys)
- Passkeys sync across devices via iCloud Keychain (Apple), Google Password Manager, or Windows Hello
- WebAuthn requires HTTPS and the relying party ID (domain) must match the website domain
- Browser support: Chrome 67+, Firefox 60+, Safari 14+, Edge 18+ — but feature levels vary
Common Causes
- Relying party ID (rpId) does not match the website domain or a valid subdomain
- User cancelled the authenticator prompt or biometric check failed
- Security key not supported — wrong protocol (FIDO U2F instead of FIDO2) or unsupported transport
- Passkey created on a different device and not yet synced to the current device
Steps
- 1Check the error type: NotAllowedError (user cancelled), InvalidStateError (credential exists), SecurityError (domain mismatch)
- 2Verify rpId matches the website domain: rpId 'example.com' works on example.com and sub.example.com
- 3For passkeys: ensure the user's passkey provider (iCloud, Google) is synced on the current device
- 4For security keys: ensure the key supports FIDO2/WebAuthn (not just FIDO U2F for some operations)
- 5Provide fallback authentication (password, OTP) when WebAuthn fails