SendQuick's Conexa authentication platform has achieved FIDO2 server certification from the FIDO Alliance, the company announced, positioning the multi-factor authentication platform as a standards-based, phishing-resistant option for enterprises. However, at the time of writing, the FIDO Alliance's public Certified Products Directory did not yet list Conexa; we will update this report once the listing appears.

The milestone, if independently verified, would accelerate the industry's shift away from passwords and one-time codes toward cryptographic passkeys and biometrics—a move that is gaining urgency as phishing attacks grow more sophisticated. For Windows-heavy organizations, Conexa's built-in support for Windows login, RADIUS, and SAML integrations promises to simplify the transition to passwordless workflows across hybrid environments.

Why FIDO2 Certification Matters

FIDO2 is a set of specifications from the FIDO Alliance and the W3C Web Authentication (WebAuthn) standard that replaces shared secrets like passwords with public-key cryptography. Instead of sending a password that could be intercepted, the user's device proves possession of a private key through a challenge-response protocol. This approach is inherently phishing-resistant because the authentication response is bound to the specific website or application requesting it.

The U.S. National Institute of Standards and Technology (NIST) explicitly recognizes FIDO2/WebAuthn as phishing-resistant in its Digital Identity Guidelines (Special Publication 800-63B). NIST's Authentication Assurance Level 2 (AAL2) mandates that verifiers offer at least one phishing-resistant option, and AAL3 requires it. The Cybersecurity and Infrastructure Security Agency (CISA) echoes this in its hybrid identity solutions guidance, urging agencies to adopt phishing-resistant MFA as part of zero-trust architectures. SMS, email, and push-based OTPs—still common in many MFA deployments—do not meet this bar because their codes can be relayed or phished.

For a server-side platform like Conexa, FIDO2 certification means it has been tested for interoperability with a wide range of authenticators—from hardware security keys to platform-based passkeys in Windows Hello, Apple Touch ID, or Android biometrics—and that it correctly implements the WebAuthn protocol. This certification is critical for enterprises that need to avoid vendor lock-in and ensure consistent user experiences across browsers, operating systems, and devices.

What SendQuick Conexa Brings to the Table

Conexa is a flexible MFA and passwordless authentication platform offered as an on-premises appliance, cloud service, or virtual appliance. It has long supported traditional second factors—SMS, email, soft tokens, push notifications, and even collaboration channels like Microsoft Teams. The new FIDO2 certification adds standards-based cryptographic authentication to that mix, allowing organizations to phase out weaker factors over time.

Key features relevant to Windows environments include:
- FIDO2/WebAuthn support: Users can authenticate with passkeys stored on their devices or with external FIDO2 security keys. This works for web applications and, crucially, for Windows workstation logins.
- SendQuick Credential Provider for Windows Login: A dedicated component that integrates with the Windows logon UI, enabling passwordless sign-in to Windows 10 and 11 using FIDO2 keys. This addresses a common gap in many identity solutions, which often focus only on web sign-ins.
- Built-in RADIUS and SAML identity provider: Conexa can serve as a bridge for legacy VPNs, Wi-Fi networks, and on-premises applications that rely on RADIUS, while also acting as a SAML IdP for modern cloud apps. Documented integrations with Fortinet FortiGate firewalls and other network gear ease deployment for remote access.
- Flexible deployment models: IT teams can choose on-premises isolation, cloud convenience, or a virtual appliance, suiting organizations with strict data sovereignty or compliance requirements.

The Windows Passwordless Journey

Microsoft has been steadily building a passwordless ecosystem for Windows. With Windows 10 and 11, users can sign in using FIDO2 security keys, Windows Hello for Business, or synchronized passkeys via Microsoft Entra ID. Group Policy, Intune, and provisioning packages allow administrators to enforce or encourage passwordless methods at scale. The recent Windows 11 22H2 update polished the passkey experience further, with a revamped Windows Hello UI and better integration for third-party credential providers.

Conexa's FIDO2 server fits into this picture by acting as the relying party server that validates authentication requests. For example, when a user inserts a YubiKey and taps it to sign into Windows, the Windows logon service can communicate with the Conexa server to verify the FIDO2 assertion. The same server can handle authentication for a FortiGate SSL VPN when a user logs in via SAML—providing a unified authentication backend across disparate systems.

This unification is powerful because it reduces the number of identity silos and policy engines. Instead of configuring FIDO2 directly in Entra ID for some workloads and in a separate VPN appliance for others, administrators can funnel multiple use cases through Conexa and apply consistent risk-based policies.

How Conexa Compares to Other FIDO2 Servers

If Conexa appears in the FIDO Alliance directory, it will join a short list of certified FIDO2 servers. Notable alternatives include:
- Nok Nok S3 Authentication Suite: Among the earliest FIDO2-certified servers, known for its breadth of authenticator support and integration with commercial identity providers.
- StrongKey FIDO2 Server: An open-source option that gives organizations full control over their authentication infrastructure, popular in high-security environments.
- i-Sprint AccessMatrix UAS: A certified server with a strong presence in Asia-Pacific markets, also offering full FIDO2 capabilities.

Conexa differentiates itself with its convergence of RADIUS/SAML bridging, Windows login integration, and multi-channel OTP support—functions that many pure FIDO2 servers leave to other products. This makes it a pragmatic option for complex enterprise environments that are not yet ready to go fully passwordless but want to begin the transition.

Risks and Watch-Outs

Despite the promise, IT leaders should approach with caution until the certification is independently confirmed. A company announcement without a corresponding FIDO Alliance listing is unusual; the alliance typically requires vendors to complete testing before the directory entry goes live. Enterprises should ask for the certification ID and verify it on the official FIDO directory before procurement.

Other considerations:
- Legacy factor exposure: Conexa still supports SMS and email OTPs. While useful for transitional workflows, these factors are not phishing-resistant. Security teams must ensure that high-risk access (e.g., domain admins, financial systems) only permits FIDO2 or passkey authentication.
- Operational complexity: Deploying a new authentication server that spans VPN, Windows logons, and cloud apps requires careful planning. Policies must align across Group Policy, Entra ID, and Conexa to avoid user confusion. Pilot rollouts on a single path, like FortiGate VPN, can help iron out kinks before expanding.
- Passkey portability: The FIDO2 ecosystem is rapidly evolving. As passkeys become more portable between platforms—e.g., syncing via iCloud, Google Password Manager, or a future Microsoft sync—Conexa's server must stay current with WebAuthn spec changes to maintain interoperability.

Implementation Playbook for Windows Shops

For organizations considering Conexa or any FIDO2 server, a phased approach aligns with Microsoft and CISA guidance:

  1. Define assurance levels and use cases: Identify which scenarios require phishing-resistant authentication first—typically privileged accounts, remote access, and administrative interfaces. Map these to AAL2 or AAL3 as defined by NIST.
  2. Pilot with a single integration: Deploy Conexa in a lab environment and configure one high-impact workflow, such as FIDO2-based Windows logon for IT staff. Validate authenticator interoperability (hardware keys and platform passkeys) and user experience.
  3. Enable FIDO2 sign-in for Windows via policy: Use Intune or Group Policy to turn on FIDO2 security key logon ("Enable security key for sign-in") and, optionally, require FIDO2 for specific user groups. Pair with Windows Hello where hardware supports it.
  4. Integrate RADIUS/SAML for VPNs and legacy apps: Point existing FortiGate or other VPN appliances to Conexa as a RADIUS server or SAML IdP. Start with a single vendor before extending to others.
  5. Phase out non-phishing-resistant factors: Begin with privileged users, then gradually remove SMS, email OTP, and push from the allowed factors for sensitive applications. Treat legacy factors as stepping stones, not permanent fixtures.
  6. Monitor and iterate: Use Conexa's logging to track authentication methods, failures, and adoption rates. Adjust policies based on real-world usage.

The Bigger Picture: Passwordless Becomes Table Stakes

SendQuick's certification bid comes at a time when passwordless authentication is no longer a futuristic concept. Microsoft, Apple, and Google have all baked passkey support into their platforms. The White House's Executive Order 14028 on improving the nation's cybersecurity and the subsequent OMB memorandum M-22-09 mandate phishing-resistant MFA for federal agencies. Even the cyber insurance industry is beginning to require it for coverage.

For Windows administrators, tools like Conexa's credential provider for Windows Login signal that the passwordless conversation is shifting from "if" to "how." The challenge now lies in bridging the gap between modern FIDO2 authentication and the decades of legacy infrastructure that still run on LDAP, RADIUS, and NTLM. Platforms that can stitch these worlds together while offering a gradual migration path will likely see strong adoption.

We will continue to monitor the FIDO Alliance's Certified Products Directory for Conexa's listing. Once confirmed, SendQuick will have a compelling story for enterprise buyers who need a single platform to manage phishing-resistant access across Windows, networks, and cloud apps. Until then, the company's announcement serves as a clear signal that passwordless authentication is no longer optional—it's the new baseline for any organization serious about identity security.