As global reliance on passwordless authentication accelerates, the FIDO ecosystem—built on asymmetric public‑key cryptography—has become essential to modern digital identity. But the cryptographic foundations beneath today’s authentication systems face a rapidly approaching threat: quantum computers capable of breaking classical public‑key algorithms. With NIST’s release of its first post‑quantum cryptography (PQC) standards and the FIDO Alliance work on updated protocols, the transition toward quantum‑safe authentication has started.
The Quantum Threat to Authentication
Quantum computing threatens the mathematical assumptions behind commonly used algorithms such as RSA, ECDH, and ECDSA. A sufficiently powerful cryptographically relevant quantum computer (CRQC) could potentially break these algorithms in hours, compromising authentication, attestation, and long‑term credential integrity. NIST highlights that quantum computers will eventually be able to break many of today’s widely used cryptographic systems, making early migration essential.
Governments share this concern, especially warning about Store‑Now‑Decrypt‑Later threats, where encrypted data collected today may be decrypted once quantum computers mature.
In authentication systems—especially FIDO—quantum‑safe signatures are as critical as quantum‑safe encryption, because signatures secure identity, attestation, and device trust.
NIST’s PQC Standards: A New Foundation
In August 2024, NIST finalized three Federal Information Processing Standards (FIPS):
- FIPS 203 – ML‑KEM, a module‑lattice‑based key‑encapsulation mechanism for quantum‑safe key exchange, based on CRYSTALS-Kyber.
- FIPS 204 – ML‑DSA, a module‑lattice‑based digital signature scheme for authentication and integrity, based on CRYSTALS-Dilithium.
- FIPS 205 – SLH‑DSA, a stateless hash‑based signature scheme based on SPHINCS+.
NIST encourages immediate migration, expecting classical algorithms to be phased out by 2035. These standards form the core cryptographic building blocks for quantum‑safe authentication architectures.
Why PQ Signatures Matter—Not Just PQ Encryption
While many associate PQC with encryption, PQ signatures are equally vital—and for authentication, even more important. FIDO authentication, including the way our OFFPAD device interacts with online services, relies on asymmetric digital signatures to authenticate user credentials.
If an attacker with access to a quantum computer can forge signatures, they can impersonate any user or authenticator. PQ encryption alone cannot prevent this. Thus, PQ signatures such as ML‑DSA and SLH‑DSA are essential for a secure FIDO future. NIST’s standardization explicitly addresses both signature and key‑establishment mechanisms to counter quantum attacks.
More insight into this can be found in our own high‑level overview at https://ponebiometrics.com/post-quantum-cryptography.
The FIDO Alliance’s PQC Initiatives
The FIDO Alliance has long acknowledged the implications of quantum computing for authentication. Its 2024 white paper highlights the vulnerabilities of classical asymmetric algorithms and outlines a transition strategy for PQC adoption across authentication and attestation layers: https://fidoalliance.org/white-paper-addressing-fido-alliances-technologies-in-post-quantum-world.
Dedicated working groups continue developing guidance for integrating PQC into WebAuthn, CTAP, and the broader FIDO ecosystem. This includes addressing cryptographic agility, key size increases, and performance considerations for constrained authenticators.
Scientific and Engineering Evidence Supporting PQC in FIDO
Several studies have evaluated PQ algorithms in FIDO flows. Research on ML‑DSA demonstrates that despite larger signatures and higher computational cost, performance remains practical for real‑world authentication.
Other analyses highlight the challenges of implementing PQC on low‑resource authenticators—such as increased signature size, bandwidth impact, and memory constraints—but also show that careful engineering can make PQC feasible.
A particularly relevant contribution is the NTNU master’s thesis “Towards Quantum‑Resilient Authentication: Implementing Hybrid Signatures in FIDO2 Authenticators”, supervised in collaboration with PONE Biometrics. It demonstrates hybrid classical‑plus‑PQC authentication using CRYSTALS‑Dilithium on a resource‑constrained FIDO2 authenticator—clear evidence that PQC‑ready FIDO authentication is achievable even on limited hardware. Check out the details at: https://nva.sikt.no/registration/0198ecb7c892-e546684a-a9ca-496d-8371-89fe1471d10f.
The OFFPAD and PQC Readiness
At PONE Biometrics, we engineered the OFFPAD to provide high‑assurance, phishing‑resistant authentication in a secure, isolated hardware environment.
Our design philosophy—rooted in hardware‑backed key protection, cryptographic agility, and controlled execution—positions the OFFPAD as a strong candidate for upcoming PQC‑enhanced FIDO authentication. As NIST’s PQC portfolio expands, we will continue evolving our solutions.
Preparing for a Quantum‑Safe Authentication Future
To ensure a smooth transition toward quantum‑safe FIDO authentication, we recommend organizations begin preparing now:
1. Inventory cryptographic dependencies.
Identify where classical signature algorithms (RSA, ECDSA) are used. NIST’s transition guidance stresses early mapping.
2. Prioritize PQ signatures for authentication.
Because authentication depends on signatures, PQ signature adoption is essential—not optional.
3. Track developments from the FIDO Alliance.
Ongoing working groups will define migration timelines and interoperability standards.
4. Plan for hybrid signature schemes during the transition.
Hybrid classical + PQ signatures can provide immediate protection until full PQ migration is feasible supported by academic research and practical prototypes.
Conclusion
As NIST continues to extend its PQC portfolio—through ongoing competitions for additional signature algorithms and future standards such as the Falcon and code‑based KEMs like HQC—it is clear that the global cryptographic landscape is entering a major transition. Research efforts reaffirm that quantum‑resilient authentication is not only achievable but already underway. At PONE Biometrics, we are committed to leading this transition by ensuring that the OFFPAD and our broader authentication ecosystem evolve with the emerging standards, enabling organizations to deploy strong, future‑proof protection against quantum‑enabled threats
