FIDO2 - Secure Logins Without Passwords

The average Internet user has around 150 online accounts, whether for online banking, social networks, or email. Here's another statistic for you: A whopping 81% of all reported data thefts can be traced back to a compromised or stolen password. FIDO2 promises safer and faster authentication, all without passwords. Below, we'll let you know how FIDO2 works and what advantages it has.

FIDO2 is a password-less authentication method launched by the FIDO Alliance and the World Wide Web Consortiums (W3C) for mobile devices and browsers, with the acronym "FIDO" standing for Fast Identity Online. The method makes it possible to identify users with the assistance of verified hardware, nixing the need to input a password.

Back in 2012, PayPal, Lenovo, Infineon, Nok Nok Labs, Validity Sensors, and Agnitio founded the FIDO Alliance to promote password-less online identification. These companies were joined by others, such as Microsoft, Google, and Samsung later on. The second version of the FIDO standard (FIDO2) was released in 2018. Its founders wish for the algorithm to remain open and non-proprietary, allowing it to be used on a wide scale.

A significant number of apps and operating systems already use FIDO2, without their users being any the wiser. One example is the Hello login service on Microsoft Windows, which only requires the input of a numerical code. The correct PIN is saved locally on the computer and cannot be decoupled from it. Should cybercriminals crack the code, it will do them little good without the computer itself.

The main characteristics of FIDO2 are:

• Authentication with external or integrated hardware keys as opposed to online password forms;
• Two-factor authentication;
• Asymmetric public/private key cryptography;
• Locally stored authenticator

Instead of inputting a password, FIDO2 users authenticate themselves via a trusted device, referred to in technical terms as the authenticator. The connection between the authenticator and the browser can be established via Bluetooth, USB, or NFC and includes:

• USB sticks such as those from Yubico ⇱ or SecureClick ⇱. These are known as FIDO2 sticks or FIDO2 tokens.
• Smart cards like the WEGA 3DSA 2.0 acoustic card ⇱.
• Trusted Platform Module (TPM) chips that are already embedded in most smartphones, laptops, and PCs.
• Smartphones or laptops: With these, an app makes it possible to verify a fingerprint or PIN.

More and more apps have started to utilize two, or multi-factor authentication. Users of these have to log in with their username and password, after which they'll be prompted to input an additional code, often sent by SMS. This method is very secure, however, also something of a hassle. Should you not have a strong network connection, you might not receive the SMS and won't be able to log in.

FIDO2's two-factor authentication relies on two independent components to legitimate a user, however, you won't need a second device as FIDO's hardware handles this. Instead, all that's necessary is the authenticator and an Internet connection. Some options include:

• A complete, password-less solution, such as through the usage of a smart card or TPM chip along with biometric data or a PIN.
• A username/password along with a token. In this case, FIDO2 enhances the security of standard password-based login processes.

Traditional, password-based authentication methods are symmetric, meaning that their users, as well as the website or service to which they attempt to log in, know the password. Should the password that the user inputs match that which the website has on record, the user will be legitimized. This method suffers from a major shortcoming though, in that a third party can hack the server where the password is stored by the website, stealing it, and inputting it in the same manner as the authentic user.

In contrast, FIDO2 is based on asymmetric public/private key cryptography, which relies on a single pair of keys. The public key is (as its name suggests) publicly accessible (i.e. stored elsewhere apart from the user's computer or device), however, the private key remains locally, being stored only on the device in question. With each exchange, the sender encrypts the data that is being sent using the public key, however, in order to decrypt it, the recipient requires the private key. This makes it impossible to access the data with only the public key.

FIDO2 uses the FIDO Alliance's Client to Protocol ⇱ (CTAP) and the W3C's WebAuthn-API ⇱. A CTAP integration facilitates the establishment of connections between browsers and platforms through compatible devices (USBs, NFC, or Bluetooth). When the application (browser or app) connects to the authenticator, it sends a command. The authenticator reacts either with the requested data or an error.

In contrast, the WebAuthn protocol makes authentication possible by defining the integration with which web apps can integrate the public/private key cryptography in a browser. This occurs when they communicate via CTAP protocol with the authenticator (TPM module or a USB stick).

Communication between the web server and end-user takes place across multiple steps:

1. 1.
   Users register on a website, providing their email address and a PIN or fingerprint.
2. 2.
   The USB stick or TPM module creates a private and public key for the website.
3. 3.
   The web application saves the public key, while the private key is only stored locally.
4. 4.
   When logging in later, the web application will send a so-called "challenge request" to the device.
5. 5.
   The user unlocks the authenticator with their fingerprint or via PIN. As this step is voluntary with most authenticators, it's possible to configure a USB stick to unlock the authenticator simply by being inserted into a laptop or computer. Of course, in this case, security is reduced.
6. 6.
   Should the data that has been sent prove correct, the authenticator will assign a digital signature to the locally stored private key.
7. 7.
   The browser then sends the digital signature to the web application.
8. 8.
   Once the signature has been successfully verified, the end-user will be authenticated.

In order for verification to work, you'll need a browser that supports the FIDO2 standard. Additionally, the web service or app with which you intend to use FIDO2 also needs to be compatible with the framework. Some examples of the latter include all Microsoft services (Outlook, OneDrive, Office, etc.) as well as a number of platforms, such as Twitter, GitHub, and Dropbox.

When logging in for the first time, it will be necessary to register. Here, it's possible to select the authentication method. Taking Windows Hello as an example, the first steps would be:

• Go to Home > Settings  > Accounts  > Sign-in Options.
• Click on Manage, and select the authenticator, choosing from Facial Recognition, Fingerprint Recognition, and PIN.
• In order to add an extra security key, log in to your Microsoft account. Go to Security > Aditional Security Options.
• Choose Add a new login or verification method.
• Click on Use a security key and select the type of key (USB or NFC). After this, click on Next.
• Input your key (i.e. insert your USB stick).
• Create a PIN or type the PIN you've already created.
• If necessary, touch the USB stick. This security measure verifies that a physical person is actually sitting at the PC or laptop.
• Name your security key in order to identify it.
• Sign-in to Windows Hello with the security key.

Public/private key cryptography is considered to be highly secure since it's nearly impossible to guess the private key. This has the added benefit of making FIDO2 more reliable than traditional, password-based authentication processes, in which hackers can easily sniff out weak passwords.

Beyond that, FIDO2 offers a few other advantages as well:

• Unique login credentials for each website.
• The private key is only saved locally on your device, and not a web server, thereby neutralizing the dangers of phishing or data leaks.
• Login data cannot be extrapolated by tracking user behavior online, since each pair of keys is unique to each website.
• In contrast to password-based logins, it's possible for the same user to set and save multiple pairs of keys. This makes it possible to log in, even if a set of keys has been lost.

All the same, even FIDO2 doesn't offer 100% security. Should someone physically steal your FIDO2 stick and the accompanying device, it will be possible for them to sign in without issue. This is easier to prevent than digital theft though since most people are more cognizant of their physical possessions than digital ones.  

Should a user lose their authenticator, they can usually recover their account with a backup code or a second, pre-registered key. Of course, this varies from application to application. Websites that handle payment data typically have higher security standards than social networks do, for example.

In order to complete the FIDO2 authentication process, online services need to have the WebAuthn Web API. Both Windows 10 and Android (from 7.0 on) support this, as do the following browsers:

• Google Chrome
• Mozilla Firefox
• Microsoft Edge
• Apple Safari

A number of popular websites and apps have also rolled out support for password-less authentication with FIDO2. These include:

• Dropbox
• Google Drive
• OneDrive
• PCloud
• Google Wallet
• YouTube
• Gmail

The FIDO2 standard offers a secure and relatively straightforward way to use apps and web services without a password. Thanks to its asymmetric cryptography, the private key remains local, providing extremely robust protection against password thieves.

Nearly all commonly-used browsers and operating systems, as well as a number of web apps, support FIDO2. To get started, prospective users only need a TPM chip, an external FIDO2 stick, a smart card, or any other software that can serve as an authenticator. In terms of authentication method, both PINs and biometric data can be utilized. Overall, FIDO2 is a powerful and secure alternative to password-based logins and a particularly attractive one for Internet users who are tired of remembering their passwords.

Should you prefer to keep track of your existing passwords in a single place, and not be quite ready to make the transition to FIDO2, we recommend checking out password managers to ensure that your's are as secure as possible.