What is FIDO2?

25 June 2020

There’s a well-known issue with passwords: Simple passwords are easy to crack, but secure ones are hard to remember — this is a problem if, as good sense dictates, you use a different one for every online service. The idea behind the FIDO project is to supplement passwords and, in the medium term, to replace them altogether. Christoph Bayer, IT security expert at TÜViT, explains how the principle works and what makes it different from and safer than previous procedures.

#explore: What is FIDO2?
Christoph Bayer: FIDO stands for Fast Identity Online. The organisation behind this process is the FIDO Alliance, which was formed to facilitate authentication on the Internet – and ultimately to move us away from passwords completely. The problem is that secure passwords are long, complicated and accordingly difficult to remember; they can also be compromised, for example, by a data leak at the provider’s end or a Trojan on your own computer. The FIDO Alliance has developed standards for a secure authentication process. And FIDO2 is the latest collection of the specifications which qualify in this regard.

How does logging in via FIDO2 work?
FIDO represents an attempt to mitigate the security problem you get when you’re logging on using local user verification. The user needs what we call a FIDO authenticator, which might be a USB stick, smart card or an app on your smartphone or laptop on which a secret key is securely stored. Using this authenticator, the user starts the process of logging in to his or her e-mail account, for instance, where the process then runs on in the background. There are two different versions of this: A FIDO authenticator can be used as a “second factor” in addition to a user name and password. However, it can also replace the password as the sole factor – if the authenticator is additionally protected by a PIN or biometric factors such as your fingerprint, for example.

What makes the FIDO principle more secure than the standard password system?
In the registration process, the FIDO authenticator creates a key pair consisting of a public key and a secret private key. The public key is transferred to whatever online service you’re accessing, and this service can then use it during the sign-in process to determine whether you’re in possession of the associated private key. This private key is stored only on the FIDO authenticator. Meaning that it can’t be compromised by a data leak on the part of the e-mail provider or bank. And, of course, it's much easier for cybercriminals to carry out an attack online than to gain access to the local authenticator. Another advantage is that it mitigates the risk that arises when, as they still often do for convenience, many users use the same passwords for different Internet services. For example, if an attacker were to hack into my sports club’s online portal, they might be able to use it to access my e-mail account. FIDO mitigates this risk because the authenticator always generates random and independent keys for each service. FIDO also provides protection against phishing attacks. For example, if I want to log in to my bank, the server sends a challenge to my authenticator, by means of which it has to prove that it’s in possession of the private key. Information about the sender and the channel used is also transmitted alongside the challenge. This allows the FIDO token to determine whether the sender is actually my bank or a phishing attack. And if an attacker has hijacked the communication pathway between the bank and my computer, using what’s known as a man-in-the-middle attack, the authenticator will likewise raise the alarm.

What happens if my authenticator stops working and I’m actually using it as a password substitute – won’t I be able to access my online services any longer?
That’s right. If the authenticator gets broken or lost, you’ll no longer be able to log on using the keys stored on it. This is because a FIDO authenticator is always unique. You can't copy it, so you can't create a security back-up that you can use in an emergency. Which is why it’s important early on to register a second authenticator as an alternative log-in with the online services concerned. And this replacement authenticator should be kept safely at home.

And what if my FIDO authenticator is stolen from me? Can the thief simply access my accounts?
No, there’s no danger of that. In principle, authenticators have to meet different requirements depending on the purpose for which they’re supposed to be used. If they’re being used as a second factor in addition to the username and password, you usually only have to press a button to start the authentication. This isn’t, of course, much of an obstacle for a thief – but they would also have to know your username and password to get to your online accounts. If the authenticator is intended to completely replace the password login, it must be secured by additional procedures to ensure that only the legitimate user can use it. For example, with the familiar four-digit PIN that you use with your debit or credit card. And, as with the bank card, the authenticator will be blocked if this PIN is entered incorrectly a number of times. Authenticators with built-in fingerprint scanners are even more convenient. If you use your smart phone as an authenticator, this kind of biometric authentication can be carried out using the built-in facial recognition function or fingerprint sensor.

How do I turn my smartphone into a FIDO authenticator?
Many smartphones or computers already have secure elements installed. These serve as key stores and are strictly segregated from the rest of the potentially unsafe laptop or cell phone. The combination of secure elements and an app that implements the FIDO specification turns the smartphone into a FIDO authenticator. The advantage, of course, is that almost everyone now uses a smart phone. So, you wouldn't need an additional device like a USB stick or a smart card to log in via FIDO.

How is the security of these authenticators verified and ensured?
The manufacturer has to put the authenticator through appropriate compliance tests to demonstrate its functionality to the FIDO Alliance. The IT security of authenticators, for example, is examined at our testing centre. Depending on the desired level of security, we subject the authenticators to increasingly extensive and complex tests: For example, we check whether the power consumption during the login procedure might allow a hacker to work out which keys are being used. Or we try to generate errors in the device by changing voltages or hitting it with laser fire, which may in turn allow us to draw conclusions about the security keys. For authenticators with a correspondingly high security level, we also check the source code for vulnerabilities. Depending on the level of security, such a review process will take between two and six months. If all our tests and analyses don’t reveal any security vulnerabilities, the manufacturer will get a certificate for their authenticator from the FIDO Alliance.

Can I already use FIDO2 as a password replacement for all popular online services?
Logging in without a password already works with Microsoft.com and corresponding Microsoft services such as Outlook, Office 365 and OneDrive. In addition to a hardware key in the form of a USB stick, you can also use Microsoft's authentication technology, “Windows Hello”, which has now been certified as an official FIDO2 authenticator. For a lot of other services, such as Google, Dropbox or Twitter, you can set up FIDO2 as a second factor.

Will FIDO render passwords superfluous in the medium term?
The big tech companies are really interested in this system, whatever the outcome. The FIDO Alliance counts Microsoft, Google, Samsung, Facebook and Amazon among its members, along with payment card providers like VISA and Mastercard and online payment service PayPal. Since January 2020, the Apple group has also been officially involved and has gradually improved FIDO2 support for its smart phones and tablets over the past year. The extent to which FIDO moves into our everyday lives will depend, of course, on whether individual providers such as e-mail providers or banks allow authentication via FIDO.