If Microsoft, Google, and Apple have their way, passwords should be history as soon as possible. FIDO 2, a hardware-compatible method of logging into Internet accounts, should make it possible. In the new iOS 16, the feature is called Passkeys.
The list of rules for good passwords is long: they should have as many characters as possible and not be used more than once for different services. Apparently this is too time consuming for many people or just plain overwhelming. In 2021, the number series “123456” again led the list of the most popular passwords published annually by the Hasso Plattner Institute. But even strong and unique passwords can be intercepted or stolen.
And two-step login (two-factor authentication/2FA), in which a second factor is verified in addition to the password (for example, a code generated by a 2FA app or a fingerprint), increases security, but it doesn’t make logging in difficult. easier
Simply no password is the solution
There is a solution to these problems, which is simply to make the password itself obsolete. We are talking about FIDO (Fast Identity Online), which in German means something like fast identification online. The unlicensed standard was developed by the FIDO Alliance, a coalition of many different companies that also includes Google, Microsoft, and Apple.
The latest standard, FIDO 2, is designed to enable secure, passwordless login to online services. The password might then have had its day. but how does it work? If you want to log in through FIDO 2, you must first register a device with the respective service.
This can be done with a smartphone, tablet, or computer. During registration, two strings of cryptographic characters are generated by mathematical processes, which together form a pair: the public key and the private key. The service receives the public key, the secret key is stored on the device, which thus becomes the so-called authenticator.
like a signature
If you now want to log in, the device creates a digital signature using the secret key. The service can then verify the authenticity of this using the public key.
In principle, this works like the classic paper signature, explains Markus Dürmuth from the Institute for IT Security at the Leibniz University of Hannover. “Only I know with what impulse I write the signature: anyone can check it with a comparison sample.”
The procedure is more secure than the password because the private key is held only by the user. Passwords, on the other hand, are secrets that are entered via keyboards: they can be intercepted locally or en route through the network.
Furthermore, the passwords are also stored in encrypted form with the respective service in order to be able to compare the password entered by the user, says Dürmuth. When comparing, the password is briefly available in plain text, which is a security risk.
FIDO 2, on the other hand, offers even more security: The digital signature includes a timestamp, says Dürmuth. Even if the attackers could intercept the signature, they would not be able to use it later.
Special keys for chip shops
In addition, the private key, also called the secret, is safe on the authenticating devices: The key is stored on the devices in a so-called Trusted Platform Module (TPM), explains Jan Mahn of the specialist magazine “c’t”. “These are hardware chips that are designed so they don’t have an outlet for secrecy.”
The private key is calculated once on the device and stored there. When signing in, only that signature comes out of the device, not the private key itself, according to Mahn. TPMs with cryptographic chips are now found in the vast majority of smartphones, as well as newer PCs and laptops. Microsoft has even made a TPM a requirement to install Windows 11 on machines.
If you still have an old computer or an old smartphone without TPM, you can also save the private key on devices that are connected via USB (computer) or NFC (smartphone). These devices with built-in cryptographic chips are also called tokens and they can not only replace the password in FIDO 2.
Stick as a password replacement or second factor
Depending on the service, a USB token can also serve as a second factor. If the stick is plugged into the device, you just have to enter a PIN or authenticate with a fingerprint if the stick has a sensor for it. Because 2FA is also part of the FIDO standards.
But what happens if a user loses the smartphone in which the private key is located? “The official recommendation for FIDO 2 is to register two devices,” says Dürmuth. The second device does not necessarily have to be a smartphone or a computer: a securely stored USB token can also be used as a backup.
Jan Mahn mentions another way to get an account in an emergency: Many services issue a backup code when signing up. It is best to write it down on paper and keep it in a safe place.
Cloud key?
A relatively new idea to solve the problem of loss and for greater ease of use is also to store the private key in the cloud, that is, on Internet servers, or to synchronize it on different devices through the Internet.
In principle, a piece of security is lost by going to the cloud. However, Markus Dürmuth believes that this is justifiable in view of FIDO 2’s greater ease of use. Cloud storage is also specially protected.
New boost with iOS 16
Apple, Google and Microsoft decided in the spring to add more features to FIDO 2 by 2023. Users should be able to access login data automatically on different devices, including new ones, without having to sign in again for each account. It should also be possible to use a mobile device as an authenticator to log into an app or website on another nearby device, regardless of operating system or browser.
FIDO 2 could get a new boost with iOS 16. Apple has built the process into the iPhone’s operating system in the form of passkeys. Use Touch ID or Face ID for biometric verification. iCloud Keychain syncs passcodes across iPhone, iPad, Mac, and Apple TV with end-to-end encryption.
Microsoft has introduced password-less sign-in for the web version of Outlook and for its Xbox Live gaming network, among other things. It can be enabled in the advanced security settings of the Microsoft account.
And Dropbox, Google or Twitter support FIDO 2 at least as a second factor through a USB token, an application or an SMS, although it is not usually called FIDO 2 but security key or access key.
BSI member of the FIDO Alliance
The Federal Office for Information Security (BSI) is also a member of the FIDO Alliance. The bureau rates the FIDO-2 standard positively on many counts, says a spokesperson for the authority. However, there is only real security gain if the authentication device is protected accordingly.
According to BSI, for higher levels of security, the way the FIDO-2 standard is implemented on a website, for example, must be independently verified and certified. Because security always depends on how the respective provider implements FIDO 2 for their service.
Enable 2FA and password replacement whenever possible
“Ideally, IT security should bother the attacker,” says Jan Mahn, and users as little as possible. “FIDO 2 accomplishes that, especially with the new implementations.” With most Android, iOS and macOS devices, but also Windows, it’s now very easy to use FIDO 2 with your existing hardware.
Mahn advises checking the security options in the respective service’s account settings and using FIDO 2 whenever possible: either as a password replacement or as a second factor.