Hannover For example, the number series “123456” once again topped the top ten list of the most popular passwords published annually by the Hasso Plattner Institute in 2021. But even strong and unique passwords can be intercepted or stolen.
And logging in in two steps (two-factor authentication / 2FA), in which a second factor is checked in addition to the password (such as a code generated by a 2FA app or the fingerprint), increases security, but does not make logging in more effortless.
Simply no password is the solution
There is a solution to these problems, which is simply to make the password itself superfluous. We are talking about Fido (Fast Identity Online), which in German means as much as fast online identification. Fido stands for a number of IT security standards.
The latest, Fido 2, is intended to enable secure, password-free login to online services. The password may then have expired. But how does it work? If you want to log in via Fido 2, you must first register a device with the respective service.
This can be done with a smartphone, tablet or computer. During registration, two cryptographic strings are generated by mathematical methods, which together form a pair: the public and the private key. The service receives the public key, the secret key is stored in the device, which thereby becomes the so-called authenticator.
Signature works like a classic signature
If you now want to log in, the device creates a digital signature using the secret key. The service can now check this for authenticity using the public key.
In principle, this works like the classic signature on paper, explains Prof. Markus Dürmuth from the Institute for IT Security at Leibniz Universität Hannover. “Only I know with what zest I write the signature – with a comparative sample, everyone can check it.”
The procedure is secure compared to the password, because the private key is only with the user. Passwords, on the other hand, are secrets that are typed on keyboards: they can be intercepted locally or on the way through the network.
In addition, the passwords are also stored in encrypted form at the respective service in order to be able to match the password entered by the user, says Dürmuth. During the comparison, the password is briefly in plain text, which poses a security risk.
Fido 2, on the other hand, offers even more security: the digital signature contains a time stamp, says Dürmuth. Even if attackers managed to intercept the signature, they would not be able to use it later.
Special chip stores the key
In addition, the private key, also known as the secret, is secure on the authenticator devices: the key is stored on the devices in a so-called Trusted Platform Module (TPM), explains Jan Mahn from the trade magazine “c’t”. “These are hardware chips that are designed in such a way that they have no outlet for the secret.”
The private key is calculated once in the device and stored there. When logging in, only said signature leaves the device, not the private key itself, according to Mahn. TPMs with crypto chips are now found in the vast majority of smartphones as well as in newer PCs and notebooks. Microsoft has even made a TPM a prerequisite for installing Windows 11 on computers.
If you still have an older computer or an older smartphone without TPM, you can also store the private key on sticks that are connected via USB (computer) or NFC (smartphone). These sticks with a built-in crypto chip are also called tokens and can not only replace the password in Fido 2.
Stick as a password replacement or second factor
Depending on the service, a USB token can also serve as a second factor. If the stick is plugged into the device, you only have to enter a PIN or authenticate yourself by fingerprint if the stick has a sensor for it. Because 2FA is also part of the Fido standards.
But what if a user loses the smartphone on which the private key is stored? “The official recommendation at Fido 2 is to register two devices,” says Prof. Dürmuth. The second device does not necessarily have to be a smartphone or computer: a securely stored USB token is also an option as a backup.
Jahn Mahn mentions another way to get an account in an emergency: numerous services issue a backup code during registration. It is best to write it down on paper and keep it in a safe place.
Keys to the cloud?
A relatively new idea to solve the loss problem and for even more user-friendliness is to additionally secure the private key in the cloud, i.e. on Internet servers, or to synchronize it on different devices via the Internet. For example, Apple is implementing the Fido 2 standard.
In principle, a piece of security is lost through the cloud path. But this is justifiable in view of the higher usability of Fido 2, says Markus Dürmuth. The cloud storages are also particularly protected.
Behind the open and license-free Fido standard is the non-commercial Fido Alliance. Many companies, service providers and authorities have joined forces in it.
This is what the tech companies have in mind
At the beginning of May 2022, Apple, Google and Microsoft jointly announced that they would add further functions to Fido 2 by 2023. Users should be able to access the access data automatically on various devices – including new devices – without having to log in again for each account. In addition, it should be possible to log in to an app or website on another nearby device using a mobile device as an authenticator, regardless of the operating system or browser.
Microsoft has already introduced passwordless login for the Outlook web version and for its Xbox Live gaming network, for example. It can be activated in the advanced security settings of the Microsoft account.
And Dropbox, Google or Twitter already support Fido 2 at least as a second factor via USB token, app or SMS, even if as a rule we are not talking about Fido 2, but about security keys or passkey.
Fido 2 is as safe as its implementation
The Federal Office for Information Security (BSI) is also a member of the Fido Alliance. The Office evaluates the Fido-2 standard positively in many aspects, as a spokesman for the authority says. However, a real security gain only results if the authenticator device is secured accordingly.
According to the BSI, for higher security levels, it must also be independently tested and certified how the Fido 2 standard is implemented on a website, for example. Because the security always depends on how the respective provider implements Fido 2 for its service.
Activate 2FA and password replacement wherever possible
“In the best case, IT security should annoy the attacker,” says Jahn Mahn – and users as little as possible. “Fido 2 does this, especially with the new implementations.” With most Android, iOS and macOS devices, but also under Windows, it is now very easy to use Fido 2 with existing hardware.
Mahn advises checking the security options in the account settings of the respective service and using Fido 2 wherever possible: either as a password replacement or as a second factor.