Fido2: here’s how access without password works

Whether it’s banking and financial transactions, shopping or communication with friends and family: in the era of the computer, smartphone & Co. there is an important part of online life. Above all, the secure recording with web services and privacy protection play an important role. However, the growing number of stolen user data shows that the introduction of the username and password is no longer enough. The new Fido2 authentication standard already allows a secure registration without password. In this article we explain how the new access procedure works and what advantages and disadvantages has.

1. Here’s how authentication with Fido2 works

Fido2 is based on the client to Authenticator Protocol (Ctap) and on the WEBOUTHNM Standard W3Cwhich allow verification with the help of cryptographic (eg Pin or biometry) or external authentors. These can be, for example, USB sticks, wearable devices and even mobile devices such as smartphones or tablets.

The authors of the web allow you to activate Fido authentication via a standard web fipi (in JavaScript), which is also implemented in various operating systems and browsers. Ctap allows the various Taken Fido2 to interact with the respective browser and also to perform as an authenticator. However, both the browser and the tokens used must be able to communicate via Ctap.

Good to know: On Windows 10 and Android of version 7, Fido2 authentication even works without additional hardware, since these operating systems can act as authenticators (virtual) themselves. Under macOS it works exclusively in combination with Google Chrome. In the current beta version of iOS 13.3, Safari now also dominates the new recording standard.

With the Fido2 key, you have a reliable web-auth controller (the so-called Fido2 server), which usually belongs to a website or a web application. Depending on the implementation of the service, there are two different options for the choice:

Al Authentication to a factor You just need the authenticator (for example the USB lever) for access, while you Two -factor authentication It is also necessary to enter a PIN code or a password.

Good to know: Fido2 launched Fido Alliance non -commercial, founded in 2012 by Lenovo, Paypal, finally, Nok Nok Labs, validity and agnitio sensors. A year later, Google, NXP and Yubico have also joined. The aim of the group of interest is to develop open and free industrial standards for global internet authentication.

2. What advantages and disadvantages do I trust2 compared to other authentication methods?

Clearly: passwords in themselves are an immense risk for safety. By default, Fido2 has encrypted access with a pair of keys (public and private) and compared with an authentication of the «normal» password, Fido2 offers a significantly less attack space for hackers. If someone wants to access their user accounts, it should be owned by their token. The release can only be performed via the registered device. Safety risks such as password thefts are therefore practically a memory of the past.

Taken Fido can also be used for various web services. This means that it is no longer necessary to remember dozens of different passwords, but you can simply access with a click, speech input or hardware. As already mentioned, the authentication of some operating systems can be carried out even without external hardware. This not only makes the recording processes more comfortable and faster, but also saves space on the key ring.

Currently not available for all web services

Despite all the advantage, Fido2 also has some disadvantages, which obviously we don’t want to leave here. On the one hand, few web services currently offer the new form of authentication. In addition, there are the acquisition costs for the external authenticator, which can quickly become very expensive in companies where each employee needs their own token.

Another problem: if you want to implement Fido2 as part of a two -factor authentication, it is also necessary to continue inserting a PIN code or a password. If you have to register with various services several times a day, this can be undertaken in the long term.

3. Fido2 in practice: various examples of applications

Fido2 is currently at the beginning, but experts provide that all services online sooner or later support the standard. Facebook, Twitter and Github are currently offering support for Fido2. Microsoft Services users can even access without password. Microsoft’s web services were also the only ones that Webauthns offer in addition to two -factor authentication, but also for access without passwords.

In addition, authentication is already possible with Chrome, Edge, Firefox, Windows and Android. Only Apple sprouts, as usual, through and filed with its solution called «Login with Apple». Sooner or later you will probably have to fold the new standard here.

This might seem like a job with Fido2 in the future

• For the Windows registration Use a Taken Fido (e.g. Yubico Yubikey), which connects to a USB port on your PC. You will be recorded by briefly pressing the touch button. Other imaginable scenarios are Windows release via a smartphone or smartwatch, with the help of an external digital fingerprint reader or facial recognition via the camera.
• Die Registration with Facebook, Amazon, Google and Co. In the future it will take place on a compatible Android smartphone.
• For example, you can also have a security key Link to your Keepass account. This can therefore be unlocked through the smartphone with the help of the keys without having to make further rumors.

Tipp: On the Webauthn.io website, you can register and access on the basis of web cars and then test the new web authentication in advance according to the W3C specifications.

A deeper discussion on Fido2 can be found in the following video:

https://www.youtube.com/watch?v=77y3ygrwe6e

(49 votes, media: 4.50 out of 5)

Loading …