Thanks to FIDO2 We May Finally Forget Our Passwords

In 30 countries, "password" is the most popular and most used password of all, closely followed in second place by the numerical sequence "123456"[i]. In third place - probably due to password length requirements - is "123456789". A hacker needs not even one second to crack such passwords. So, despite the availability of password managers and two-factor authentication (2FA)[ii], the security of many devices and accounts is not in good shape. Lack of data security can lead to a lot of trouble and costs for private users, in the worst case to stolen identities. In a company, such password practices can have devastating effects.

A new passwordless standard

Many world-renowned companies are part of the FIDO Alliance, which was founded ten years ago: Lenovo, Samsung, Microsoft, Apple, Google, PayPal, eBay, Red Hat, Huawei, and Sony are just a few of the companies that share the goal of developing login technologies that are convenient and secure[iii]. FIDO2 is the most recent result of these efforts.

The FIDO2 authentication process makes passwordless logins possible, protecting against common online threats such as phishing and man-in-the-middle attacks[iv]. Fido2 works with a private and a public key. Both are cryptographic strings generated by mathematical methods to validate the user's identity. The public key is sent to the service, while the secret key is stored on the user's own device. When logging in, the device creates a digital signature with the secret key. This can be checked for authenticity using the public key.

The private key is never sent, but always remains on the user's own device (and therefore cannot be intercepted in cyber space, like a password).

Minimal user engagement is required

However, even FIDO2 does not work without a minimum commitment from users. They must register for the corresponding service:

• An application must be filled out and a FIDO2 security key selected.
• The service then generates the FIDO2 authentication key pair.
• The user's FIDO2 device then sends the public key to the corresponding account, while the private key containing sensitive information remains on the user's own device.
• Once the secure communication path is activated, the credentials are permanently stored so that one can always log in again later.

Once registered, logging in is straightforward and secure - a password is no longer required. When the request is signed with the FIDO2 key, access to the corresponding account will be enabled.

The big players have joined in

Microsoft, Google, and Apple have now announced that they will extend the joint standard for passwordless logins on their respective platforms[v]. The three companies already led the development of FIDO2's expanded feature set, and their platforms already support the FIDO Alliance standards. (Microsoft's Windows Hello has already been FIDO-certified since 2019[vi], and Google uses FIDO authentication for both its employees and users, stating that there has been no successful phishing attack against Google employees since using FIDO security keys).

Previous implementations required users to log in to any website or app with any device before they could use passwordless functionality. Now, two new features are expected to make passwordless sign-in even easier: Automatic access to FIDO credentials by multiple devices, including new ones, without requiring a new login for each device. Users will also be able to use FIDO authentication on their mobile device to log in to an app or website on a device near them, regardless of operating system or browser. These new features are expected to be available on Apple, Google, and Microsoft platforms later next year.

UMB: Making the digital world a safer place

Integrating FIDO2 into authentication processes and enabling passwordless logon is an important step towards making communication more secure in an increasingly complex digital world. UMB can provide you with comprehensive support regarding identity security and access management, including two factor authentication, multi factor authentication, conditional access, and privileged access management.

Thanks to modular cybersecurity services, UMB also creates permanent protection against cyberattacks in all other areas. At UMB, cybersecurity is not viewed in isolation, but as part of IT, workplace, and digitalization concepts[vii]. Only balanced organizational and technical measures will protect your company effectively and holistically. To achieve this, new security dimensions must be introduced that complement classic prevention (network and perimeter protection). In this way, we create not only security, but also time for you - for example, for your core business. Please contact us to find out more.

[i] The top 200 most common passwords in 2022

[ii] Identity Management: What You Know. What You Have. Who You Are

[iii] FIDO Alliance Member Companies & Organizations

[iv] What Is a Man-in-the-Middle Attack (MitM)?

[v] Apple, Google, and Microsoft commit to expanded support for FIDO standard

[vi] Windows Hello FIDO2 certification gets you closer to passwordless

[vii] UMB Cyber Security: A New Dimension in Security