What is Fido 2 and how does Big Tech create a world without passwords?
Passwords could soon be a thing of the past. Technology Giants like Apple, Google and Microsoft want to establish password-free logins in 2023, which should not only be more convenient but also more secure. How will it work?
Microsoft has joined other tech giants and pledged to introduce the Fido 2 authentication system. © Unsplash/@impulsive
It is impossible to remember all the passwords required for various Internet services. This is where a password manager comes in, but even that requires a password. And no matter how good a password is, it can always be stolen.
The two-step login (two-factor authentication/2FA), in which a second factor, such as a code generated by the app, is checked in addition to the password, increases security, but does not make the login any less complicated.
There is a solution to all these problems – the password itself is simply a thing of the past. It is called Fido (Fast Identity Online) and includes several IT security standards.
The latest version, Fido 2, is designed to enable secure, password-free logins to online services, making passwords obsolete. Apple, Google and Microsoft, among others, hope to usher in a password-free world with this system.
This is how Fido 2 works
If you want to register with Fido 2, you first have to register a device such as a smartphone, tablet or computer with the respective service (stock image). © Unsplash/@danny144
And this is how it works: If you want to register with Fido 2, you first have to register a device such as a smartphone, tablet or computer with the respective service.
Registration generates two cryptographic strings that together form a pair, the public and private keys. The service obtains the public key, while the private key is stored on the device, which then becomes the authenticator.
If you now want to log in, the device creates a digital signature with the private key. The service can then use the public key to verify the authenticity of this signature.
The Fido 2 process is more secure because the private key resides only with the user and the signature includes a timestamp so attackers cannot use it later even if they manage to intercept the signature.
Special chip stores the key
Fido uses a unique digital signature that is stored both on a registered device and in the Fido system. © Unsplash/@kellysikkema
The private key, also known as a secret, is secure on authentication devices where it is stored in what is known as a Trusted Platform Module (TPM).
“These are hardware chips that are designed in such a way that they have no exit for the secret,” said IT security specialist Jan Mahn of the dpa.
The private key is calculated once in the device and then stored there. When logging in, only the signature leaves the device, not the private key itself, Mahn explained.
A TPM with crypto chips can be found in most smartphones today, but also in newer PCs and notebooks. Microsoft has also made a TPM a requirement for installing Windows 11.
If you have an older computer or a smartphone without TPM, you can also save the private key on sticks that are connected to a computer via USB or to a smartphone via NFC.
These sticks with built-in crypto chips are also called tokens and can not only replace the password in Fido 2, but also act as a second factor depending on the service. Because 2FA is also part of the Fido standards.
But what if you lose the smartphone on which the private key is stored? The official recommendation is to always register two devices with Fido 2.
The second device doesn’t necessarily have to be a smartphone or a computer – a securely stored USB token is also a good backup.
key in the cloud
A relatively new idea to solve the problem of lost keys and add even more user-friendliness is the synchronization of the private key in the cloud.
It can be stored on internet servers, but can also be synchronized to any number of devices via the network. This is how Apple, for example, proceeds with its Fido 2 implementation.
In May of this year, Apple, Google and Microsoft jointly announced their intention to add additional functions to Fido 2 by 2023. Users can automatically access their credentials on different devices without having to log in again for each account.
With most Android, iOS and macOS devices, but also with Windows, it is now very easy to use Fido 2 with existing hardware, emphasized Jan Mahn
He advises using Fido 2 wherever possible, either as a password replacement or as a second factor.
Cover photo: Unsplash/@impelling
