Security keys

FIDO stands for Fast IDentity Online. It is a set of open, licence-free standards and protocols from the FIDO Alliance for secure and user-friendly online authentication. There are various types of FIDO implementations, including FIDO U2F (Universal Second Factor) and FIDO2, which are widely used in modern web browsers and platforms. The protocols enable password-free, phishing-resistant two-factor authentication based on public key cryptography.

If you want or need to work with AGOV without a smartphone, security keys are the alternative to the AGOV access app. This also applies to people whose smartphones do not support the AGOV access app (wrong operating system, outdated device, hardware without security elements, unauthorised modification due to rooting or jailbreak).

AGOV uses security keys as a very secure form of two-factor authentication. The physical key is the first factor, while the PIN or biometric verification is the second factor for key usage. In addition, we recommend that all users of the AGOV access app link a security key to their AGOV account. You can do this at . In this way, you ensure that you retain access to AGOV if you lose the recovery code and your smartphone is defective or lost, or if a smartphone change has not been carried out correctly (simply transferring the app is not sufficient for this; please consult Tips for AGOV users). Even if you have the recovery code, additional login factors such as security keys are useful, as a new identity check needs to be carried out in AGOV if only the recovery code is used.

AGOV enforces strict requirements for authentication security – especially when accessing government online services that require high protection. For logins at the “high” level of assurance (Level of Assurance 3, LOA3), mandatory requirements apply in accordance with ICT directive Si001 – ICT Baseline Protection in the Federal Administration.

• What does FIDO2 Level 2 (L2) mean and why is it required?
  FIDO2 Level 2 (L2) is a certified security level that imposes additional requirements for protecting sensitive authentication data. Unlike Level 1, L2-compliant security keys must include a dedicated secure element. This secure element protects cryptographic material from both physical and software-based attacks - even if the end device is compromised. Only with this demonstrably robust protection does an authenticator meet the conditions for use in the federal administration context at the “high” level of assurance (LOA3).
  
• Why is a FIDO2 Level 1 key not sufficient?
  FIDO2 Level 1 also permits purely software-based authenticators or devices without specific hardware protection. These provide basic protection, but no verified defense against attacks within the same system context (e.g. on a compromised operating system). According to ICT directives, AGOV explicitly requires certified hardware protection, such as that provided by FIDO2 Level 2 or higher.
  
• What about open-source security keys without certification?
  Security keys such as the Nitrokey 3A mini may technically meet high security standards. However, without formal certification, the required official proof is missing. For AGOV, FIDO certification is a prerequisite, as it documents compliance with security requirements in a traceable and standardized manner. Not certified does not automatically mean insecure - but not certified means: not evaluated according to AGOV's mandatory criteria.
  

Zusammenfassung

Criterion	FIDO2 Level 1	FIDO2 Level 2 (AGOV requirement)
Protection of authentication data	optional / software-based	Hardware-based (Secure Element)
FIDO2 certification	yes, basic level	yes, with enhanced protection profile
Approved for use in AGOV	no	yes

Passkeys are a modern and secure method for passwordless authentication, where a cryptographic key is stored on the user’s device.

However, for security and regulatory reasons, AGOV only allows cryptographic keys that are stored locally on a security chip* -for example, on a FIDO2 security key or directly on the device itself.

Passkeys that are synchronized across multiple devices via cloud services such as iCloud or Google are considered less trustworthy, as they can potentially be exported. To ensure the origin and integrity of the keys at all times, AGOV only accepts hardware-bound keys that cannot be transferred, exported, or synchronized. The AGOV access app and the swiyu app for the Swiss e-ID already fully meet these requirements.

Security keys (FIDO2) should be purchased by the end users themselves from electronics retailers. Depending on the manufacturer and type (connection type, PIN, biometric), these cost between CHF 20 and CHF 120.

Apple only supports FIDO2/WebAuthn standards where it fits into their ecosystem.

In practice, this leads to incompatibilities or limitations, especially when using third-party hardware or browsers. Formally, Apple adheres to the standards - but not with the openness or depth of Microsoft or Linux.

Everyday recommendations, including AGOV:
To login with a FIDO2 security key on a macOS computer at agov.ch, we recommend using Google Chrome (or Microsoft Edge) on your Mac. These browsers provide the most reliable support for FIDO2/WebAuthn technology, especially when used with USB security keys or Touch ID. Firefox is not recommended as it may experience limitations or malfunction when using FIDO2 on macOS. Safari also offers limited support.

Therefore, please use Chrome for registration and login with FIDO2 on agov.ch.

All FIDO2 security keys that meet the following filter criteria are compatible with AGOV:

• Protocol = fido2
  
• Certification = FIDO_CERTIFIED_L2
  
• Key Protection = hardware
  

The following list is available in English only, and the above-mentioned filter criteria must be set by yourself.

➪ FIDO MDS Explorer (opotonniee.github.io)

Disclaimer:
The listed FIDO2 security keys should be compatible with AGOV but have not been tested. The proper functioning of untested FIDO2-compatible security keys cannot be guaranteed.