FIDO2 - Secure Logins Without Passwords

The average Internet user has around 150 online accounts, whether for online banking, social networks, or email. Here's another statistic for you: A whopping 81% of all reported data thefts can be traced back to a compromised or stolen password. FIDO2 promises safer and faster authentication, all without passwords. Below, we'll let you know how FIDO2 works and what advantages it has.
FIDO2 is a password-less authentication method launched by the FIDO Alliance and the World Wide Web Consortiums (W3C) for mobile devices and browsers, with the acronym "FIDO" standing for Fast Identity Online. The method makes it possible to identify users with the assistance of verified hardware, nixing the need to input a password.
Back in 2012, PayPal, Lenovo, Infineon, Nok Nok Labs, Validity Sensors, and Agnitio founded the FIDO Alliance to promote password-less online identification. These companies were joined by others, such as Microsoft, Google, and Samsung later on. The second version of the FIDO standard (FIDO2) was released in 2018. Its founders wish for the algorithm to remain open and non-proprietary, allowing it to be used on a wide scale.
A significant number of apps and operating systems already use FIDO2, without their users being any the wiser. One example is the Hello login service on Microsoft Windows, which only requires the input of a numerical code. The correct PIN is saved locally on the computer and cannot be decoupled from it. Should cybercriminals crack the code, it will do them little good without the computer itself.
The main characteristics of FIDO2 are:
An overview of how FIDO2 works.
Instead of inputting a password, FIDO2 users authenticate themselves via a trusted device, referred to in technical terms as the authenticator. The connection between the authenticator and the browser can be established via Bluetooth, USB, or NFC and includes:
More and more apps have started to utilize two, or multi-factor authentication. Users of these have to log in with their username and password, after which they'll be prompted to input an additional code, often sent by SMS. This method is very secure, however, also something of a hassle. Should you not have a strong network connection, you might not receive the SMS and won't be able to log in.
FIDO2's two-factor authentication relies on two independent components to legitimate a user, however, you won't need a second device as FIDO's hardware handles this. Instead, all that's necessary is the authenticator and an Internet connection. Some options include:
Traditional, password-based authentication methods are symmetric, meaning that their users, as well as the website or service to which they attempt to log in, know the password. Should the password that the user inputs match that which the website has on record, the user will be legitimized. This method suffers from a major shortcoming though, in that a third party can hack the server where the password is stored by the website, stealing it, and inputting it in the same manner as the authentic user.
In contrast, FIDO2 is based on asymmetric public/private key cryptography, which relies on a single pair of keys. The public key is (as its name suggests) publicly accessible (i.e. stored elsewhere apart from the user's computer or device), however, the private key remains locally, being stored only on the device in question. With each exchange, the sender encrypts the data that is being sent using the public key, however, in order to decrypt it, the recipient requires the private key. This makes it impossible to access the data with only the public key.
FIDO2 uses the FIDO Alliance's Client to Protocol ⇱ (CTAP) and the W3C's WebAuthn-API ⇱. A CTAP integration facilitates the establishment of connections between browsers and platforms through compatible devices (USBs, NFC, or Bluetooth). When the application (browser or app) connects to the authenticator, it sends a command. The authenticator reacts either with the requested data or an error.
In contrast, the WebAuthn protocol makes authentication possible by defining the integration with which web apps can integrate the public/private key cryptography in a browser. This occurs when they communicate via CTAP protocol with the authenticator (TPM module or a USB stick).
Communication between the web server and end-user takes place across multiple steps:
The FIDO2 login process.
In order for verification to work, you'll need a browser that supports the FIDO2 standard. Additionally, the web service or app with which you intend to use FIDO2 also needs to be compatible with the framework. Some examples of the latter include all Microsoft services (Outlook, OneDrive, Office, etc.) as well as a number of platforms, such as Twitter, GitHub, and Dropbox.
When logging in for the first time, it will be necessary to register. Here, it's possible to select the authentication method. Taking Windows Hello as an example, the first steps would be:
Public/private key cryptography is considered to be highly secure since it's nearly impossible to guess the private key. This has the added benefit of making FIDO2 more reliable than traditional, password-based authentication processes, in which hackers can easily sniff out weak passwords.
Beyond that, FIDO2 offers a few other advantages as well:
All the same, even FIDO2 doesn't offer 100% security. Should someone physically steal your FIDO2 stick and the accompanying device, it will be possible for them to sign in without issue. This is easier to prevent than digital theft though since most people are more cognizant of their physical possessions than digital ones.
Should a user lose their authenticator, they can usually recover their account with a backup code or a second, pre-registered key. Of course, this varies from application to application. Websites that handle payment data typically have higher security standards than social networks do, for example.
In order to complete the FIDO2 authentication process, online services need to have the WebAuthn Web API. Both Windows 10 and Android (from 7.0 on) support this, as do the following browsers:
A number of popular websites and apps have also rolled out support for password-less authentication with FIDO2. These include:
The FIDO2 standard offers a secure and relatively straightforward way to use apps and web services without a password. Thanks to its asymmetric cryptography, the private key remains local, providing extremely robust protection against password thieves.
Nearly all commonly-used browsers and operating systems, as well as a number of web apps, support FIDO2. To get started, prospective users only need a TPM chip, an external FIDO2 stick, a smart card, or any other software that can serve as an authenticator. In terms of authentication method, both PINs and biometric data can be utilized. Overall, FIDO2 is a powerful and secure alternative to password-based logins and a particularly attractive one for Internet users who are tired of remembering their passwords.
Should you prefer to keep track of your existing passwords in a single place, and not be quite ready to make the transition to FIDO2, we recommend checking out password managers to ensure that your's are as secure as possible.