Is There Life After Passwords? FIDO2 and the Future of Authentication.
Insecure passwords such as “password” or “123456” are still widespread, as are easily guessable names or strings that are too short. Such vulnerabilities are an invitation to hackers and pose a considerable risk to companies and private individuals. New technologies such as FIDO2, which are already established in many places, promise a remedy. They are secure, convenient and work without a password.
#Security Awareness #Security Risk Assessment
Passwords are still a problem for many users - they are too cumbersome and tedious. As a result, they are written down somewhere and reused everywhere. Consequently, the security of many devices and accounts is still poor, despite the availability of password managers and two-factor authentication (2FA)[i]. A lack of data security can lead to a lot of trouble and costs for private users and, in the worst case, to stolen identities. In a company, poor password practices can have devastating consequences[ii].
FIDO – Fast Identity Online
The FIDO Alliance, which includes Google, Microsoft, Apple, Lenovo, RedHat, Huawei and Sony, has been developing secure authentication solutions for more than a decade and now has more than 250 members.[iii]. FIDO2 replaces conventional passwords with advanced cryptography and biometrics. The system is based on an asymmetric key pair: The public key is stored with the service, while the private key remains securely on the user's device. For login, only a signature is generated without transmitting sensitive data. Authentication is done using either biometrics (such as fingerprints or facial recognition) or a physical security token, such as a smartphone or special hardware key. This means that even if an attacker obtains the credentials for a service, they cannot log in because they do not have the private key.
Where and when can you use FIDO2?
Microsoft, Google and Apple have driven the further development of FIDO2. Services such as Gmail, YouTube, Outlook, Teams, iCloud and platforms such as PayPal, eBay and Dropbox support the passwordless technology. Logging in is done using a fingerprint or face scan, or even more simply using a smartphone as a key: it authenticates websites or apps on nearby devices (such as laptops) via Bluetooth, NFC or QR code - across platforms for Apple, Android and Windows devices. A key innovation is the cross-device synchronization of passkeys so that no re-registration is necessary. These functions have been available across the board since 2023.
FIDO2 is unique, but not the only option
FIDO2 is not the only method of passwordless authentication, but it offers a combination of security and ease of use that other solutions cannot match: Magic Links[iv] send a temporary login link by email - which is practical, but susceptible to phishing. TOTP apps (Google Authenticator, Authy) generate one-time codes - more secure than SMS, but not immune to phishing[v].
Smartcards with PKI offer maximum security, but require special hardware and IT infrastructure[vi].
Windows Hello and the fight against AI-supported attacks
Password theft is becoming increasingly efficient due to AI-supported attacks; weak passwords can be cracked in seconds. FIDO2 prevents this as there are no passwords that can be guessed or stolen. Microsoft's Windows Hello combines biometrics (since 2015) with FIDO2 technology (since 2019) to make passwordless logins the standard solution[vii]. According to Google, their team has not experienced any successful phishing attacks since the introduction of FIDO-based solutions, reinforced by FIDO2.
UMB for digital security
Switching to FIDO2 is a crucial step in making your digital communication more secure. UMB offers comprehensive expertise and solutions when it comes to two-factor authentication, multi-factor authentication, conditional access, identity protection and privileged access management. Our modular security concepts are specially tailored to the needs of modern companies. Only balanced organizational and technical measures can protect your company effectively and holistically. This requires the introduction of new security dimensions that complement traditional prevention (network and perimeter protection). In this way, we not only create security, but also time for you and your core business.
Interested? Contact us and learn more.
[i] What Is Two-Factor Authentication (2FA)? | Microsoft Security
[ii] 50+ Password Statistics: The State of Password Security in 2024
[iii] FIDO Alliance - Open Authentication Standards More Secure than Passwords
[iv] Passwordless Authentication with Magic Links
[v] The Best Authenticator Apps for 2025 | PCMag
