If Microsoft, Google and Apple get their way, passwords should be history as soon as possible. FIDO 2, a hardware-supported method for signing in to online accounts, should make this possible. In the new iOS 16, this feature is called passkeys.
The list of rules for good passwords is long: they should contain as many characters as possible and not be used more than once for different services. Apparently, for many, this takes too much time or simply overloads them. In 2021, the number series “123456” again topped the list of the most popular passwords published annually by the Hasso Plattner Institute. But even strong and unique passwords can be intercepted or stolen.
And two-step login (two-factor authentication/2FA), which checks another factor in addition to the password (for example, a code generated by the 2FA application, or a fingerprint), increases security, but does not make logging in any easier.
Just not having a password is the solution
These problems have a solution, which is to simply make the password itself obsolete. We are talking about FIDO (Fast Identity Online), which in German means something like fast online identification. The license-free standard was developed by the FIDO Alliance, a coalition of many different companies that also includes Google, Microsoft, and Apple.
The latest standard, FIDO 2, is designed to provide secure login to online services without a password. The password may have had its day. But how does it work? If you want to log in through FIDO 2, you first need to register the device with the appropriate service.
This can be done using a smartphone, tablet or computer. During registration, two strings of cryptographic symbols are generated using mathematical processes, which together form a pair: public and private keys. The service receives the public key, the secret key is stored in the device, which thus becomes the so-called authenticator.
Like a signature
If you now want to log in, the device will create a digital signature using the private key. The service can then authenticate this with the public key.
In principle, this works like a classic signature on paper, explains Markus Dürmuth from the Institute for IT Security at the Leibniz University in Hannover. “Only I know with what impulse I write the signature – anyone can check this on the comparison sample.”
This procedure is more secure than a password because only the user has the private key. Passwords, on the other hand, are secrets entered using the keyboard and can be intercepted locally or over a network.
In addition, passwords are also stored encrypted with the corresponding service so that the password entered by the user can be compared,” Durmuth says. During comparison, the password is briefly available in plaintext, which poses a security risk.
FIDO 2, on the other hand, offers even more security: The digital signature includes a timestamp, Durmuth says. Even if attackers were able to intercept the signature, they would not be able to use it later.
A special chip stores the keys
In addition, the private key, also called the secret, is safe on the authentication devices: the key is stored on the devices in a so-called Trusted Platform Module (TPM), explains Yang Mang from the c’t trade magazine. “These are hardware chips that are designed to have no way out for a secret.”
The private key is computed once on the device and stored there. According to Man, when you log in, only the specified signature leaves the device, and not the private key itself. Cryptochip TPMs can now be found in the vast majority of smartphones, as well as newer PCs and laptops. Microsoft has even made TPM a requirement for installing Windows 11 on machines.
If you still have an old computer or an old smartphone without TPM, you can also save the private key on flash drives connected via USB (computer) or NFC (smartphone). These flash drives with built-in crypto chips are also called tokens and can not only replace the password in FIDO 2.
Stick as a password replacement or second factor
Depending on the service, the USB token can also serve as a second factor. If the flash drive is connected to the device, you will need to enter a PIN or authenticate yourself with a fingerprint if the flash drive has a sensor for this. Because 2FA is also part of the FIDO standards.
But what if the user loses the smartphone that holds the private key? “The official recommendation for FIDO 2 is to register two devices,” Durmuth says. The second device doesn’t have to be a smartphone or computer: a securely stored USB token can also be used as a backup.
Yang Mang mentions another way to get an account in an emergency: numerous services issue a backup code upon registration. It is best to write it down on paper and keep it in a safe place.
Key to the cloud?
A relatively new idea to solve the loss problem and make it even more usable is to also store the private key in the cloud, i.e. on Internet servers, or synchronize it on different devices over the Internet.
In principle, when moving to the cloud, part of the security is lost. However, Markus Dürmuth believes that this is justified due to the greater usability of FIDO 2. Cloud storage is also particularly secure.
New momentum with iOS 16
In the spring, Apple, Google and Microsoft decided to add additional features to FIDO 2 by 2023. Users should be able to automatically access access data across devices, including new ones, without having to re-login for each account. It should also be possible to use a mobile device as an authenticator to log into an app or website on another nearby device, regardless of operating system or browser.
FIDO 2 may get a new boost with the release of iOS 16. Apple has integrated this process into the iPhone operating system in the form of passkeys. You use Touch ID or Face ID for biometric verification. iCloud Keychain syncs passkeys across iPhone, iPad, Mac, and Apple TV using end-to-end encryption.
Microsoft has introduced passwordless sign-in for the web version of Outlook and for its Xbox Live gaming network, among other things. You can turn it on in the advanced security settings of your Microsoft account.
And Dropbox, Google or Twitter support FIDO 2 at least as a second factor via USB token, app or SMS, even if it’s usually not FIDO 2 but a security key or passkey.
Member of the BSI FIDO Alliance
The Federal Information Security Administration (BSI) is also a member of the FIDO Alliance. According to the representative of the department, the office positively evaluates the FIDO-2 standard in many aspects. However, real security gains are only possible if the authentication device is adequately secured.
According to the BSI, for higher levels of security, a website’s implementation of the FIDO-2 standard must also be independently verified and certified. Because security always depends on how the respective provider implements FIDO 2 for their service.
Enable 2FA and password change wherever possible
“IT security should ideally annoy the attacker,” Yang Man says, “and users as little as possible. “FIDO 2 handles that, especially with newer implementations.” With most Android, iOS, and macOS devices, as well as Windows, it’s now very easy to use FIDO 2 with existing hardware.
Mun advises checking the security settings in the relevant service account settings and using FIDO 2 wherever possible: either as a password replacement or as a second factor.