If Microsoft, Google and Apple have their way, passwords should be history as soon as possible. The FIDO 2, a hardware-supported method for logging into Internet accounts, should make this possible. In the brand new iOS 16, the feature is called Passkeys.
The list of rules for good passwords is long: they should have as many characters as possible and not be used more than once for different services. Apparently, this is too time-consuming for many people or simply overwhelms them. In 2021, the series of numbers “123456” again led the list of the most popular passwords published annually by the Hasso Plattner Institute. But even strong and unique passwords can be intercepted or stolen.
And the two-step login (two-factor authentication/2FA), in which a second factor is checked in addition to the password (e.g. a code generated by a 2FA app or the fingerprint), increases security, but does not make logging in any easier .
There is a solution to these problems, which is simply to make the password itself obsolete. We are talking about FIDO (Fast Identity Online), which in German means something like fast online identification. The license-free standard was developed by the FIDO Alliance, a coalition of many different companies that also includes Google, Microsoft and Apple.
The latest standard, FIDO 2, is intended to enable secure, password-free login to online services. The password could then have had its day. But how does it work? If you want to log in via FIDO 2, you first have to register a device with the respective service.
This can be done with a smartphone, tablet or computer. During registration, two cryptographic character strings are generated using mathematical processes, which together form a pair: the public and the private key. The service receives the public key, the secret key is stored in the device, which thus becomes the so-called authenticator.
If you now want to log in, the device creates a digital signature using the secret key. The service can then check this for authenticity using the public key.
In principle, this works like the classic signature on paper, explains Markus Dürmuth from the Institute for IT Security at Leibniz University Hanover. “Only I know with what momentum I write the signature – anyone can check it with a comparison sample.”
The procedure is more secure than the password because the private key is only held by the user. Passwords, on the other hand, are secrets that are entered via keyboards: they can be intercepted locally or en route through the network.
In addition, the passwords are also stored in encrypted form with the respective service in order to be able to compare the password entered by the user, says Dürmuth. When comparing, the password is briefly available in plain text, which poses a security risk.
FIDO 2, on the other hand, offers even more security: the digital signature includes a time stamp, says Dürmuth. Even if attackers were able to intercept the signature, they would not be able to use it later.
In addition, the private key, also called secret, is safe on the authenticator devices: The key is stored on the devices in a so-called Trusted Platform Module (TPM), explains Jan Mahn from the specialist magazine “c’t”. “These are hardware chips that are designed so that they don’t have an exit for the secret.”
The private key is calculated once in the device and stored there. When logging in, only said signature leaves the device, not the private key itself, according to Mahn. TPMs with crypto chips are now found in the vast majority of smartphones as well as in newer PCs and notebooks. Microsoft has even made a TPM a requirement for installing Windows 11 on machines.
If you still have an older computer or an older smartphone without TPM, you can also save the private key on sticks that are connected via USB (computer) or NFC (smartphone). These sticks with built-in crypto chips are also called tokens and can not only replace the password in FIDO 2.
Depending on the service, a USB token can also serve as a second factor. If the stick is plugged into the device, you only have to enter a PIN or authenticate yourself with a fingerprint if the stick has a sensor for it. Because 2FA is also part of the FIDO standards.
But what if a user loses the smartphone on which the private key is located? “The official recommendation for FIDO 2 is to register two devices,” says Dürmuth. The second device does not necessarily have to be a smartphone or computer: a securely stored USB token can also be used as a backup.
Jan Mahn mentions another way of getting an account in an emergency: numerous services issue a backup code when registering. It is best to write it down on paper and keep it in a safe place.
A relatively new idea for solving the loss problem and for even more user-friendliness is to also save the private key in the cloud, i.e. on Internet servers, or to synchronize it on different devices via the Internet.
In principle, a piece of security is lost by going to the cloud. However, Markus Dürmuth believes that this is justifiable in view of the greater usability of FIDO 2. The cloud storage is also particularly protected.
Apple, Google and Microsoft decided in spring to add further functions to FIDO 2 by 2023. Users should be able to access the access data automatically on different devices – including new ones – without having to log in again for each account. It should also be possible to use a mobile device as an authenticator to log in to an app or website on another device nearby, regardless of the operating system or browser.
FIDO 2 could get new impetus with iOS 16. Apple has integrated the process into the iPhone operating system in the form of passkeys. You use Touch ID or Face ID for biometric verification. iCloud Keychain syncs passkeys across iPhone, iPad, Mac and Apple TV with end-to-end encryption.
Microsoft has introduced passwordless login for the Outlook web version and for its gaming network Xbox Live, among other things. It can be enabled in the advanced security settings of the Microsoft account.
And Dropbox, Google or Twitter support FIDO 2 at least as a second factor via USB token, app or SMS, even if the talk is usually not of FIDO 2 but of security key or passkey.
The Federal Office for Information Security (BSI) is also a member of the FIDO Alliance. The office rates the FIDO-2 standard positively in many aspects, as a spokesman for the authority says. However, there is only a real gain in security if the authenticator device is secured accordingly.
According to the BSI, for higher security levels, how the FIDO-2 standard is implemented on a website must also be independently checked and certified. Because security always depends on how the respective provider implements FIDO 2 for its service.
“IT security should ideally annoy the attacker,” says Jan Mahn – and users as little as possible. “FIDO 2 manages that, especially with the new implementations.” With most Android, iOS and macOS devices, but also with Windows, it is now very easy to use FIDO 2 with existing hardware.
Mahn advises checking the security options in the account settings of the respective service and using FIDO 2 wherever possible: either as a password replacement or as a second factor.