What is Fido 2 and how is Big Tech creating a world without passwords?

Passwords could soon be a thing of the past. Tech giants like Apple, Google and Microsoft want to establish password-free logins in 2023, something they say will be not only more convenient, but also more secure. How will it work?

Microsoft has joined other tech giants in pledging to introduce the Fido 2 authentication system.
Microsoft has joined other tech giants in pledging to introduce the Fido 2 authentication system.  © Unsplash/@impelling

It’s impossible to remember all the passwords needed for different internet services. That’s where a password manager comes in useful, but that too needs a password. And no matter how good a password is, it can always be stolen.

Logging in using two steps (two-factor authentication/2FA), in which a second factor, such as an app-generated code, is checked in addition to the password increases security, but does not make logging in any less complicated.

There is a solution to all these problems – simply make the password itself a thing of the past. It’s called Fido (Fast Identity Online) and it encompasses several IT security standards.

The latest version, Fido 2, is intended to enable secure, password-free logins to online services, thereby making passwords obsolete. Apple, Google, and Microsoft are among those hoping to usher in a password-free world using this system.

How Fido 2 works

Anyone who wants to log in using Fido 2 has to first register a device such as a smartphone, tablet, or computer with the respective service (stock image).
Anyone who wants to log in using Fido 2 has to first register a device such as a smartphone, tablet, or computer with the respective service (stock image).  © Unsplash/@danny144

Here's how it works: anyone who wants to log in using Fido 2 has to first register a device such as a smartphone, tablet, or computer with the respective service.

During registration, two cryptographic strings are generated that together form a pair, the public and the private key. The service receives the public key, while the private key is stored on the device, which then becomes an authenticator.

If you now want to log in, the device creates a digital signature using the private key. The service can then check the authenticity of this signature using the public key.

The Fido 2 process is more secure because the private key resides only with the user and because the signature contains a time stamp so that even if attackers manage to intercept the signature, they can’t use it later.

Special chip stores the key

Fido uses a unique digital signature that is stored both on a registered device and the Fido system.
Fido uses a unique digital signature that is stored both on a registered device and the Fido system.  © Unsplash/@kellysikkema

The private key, also known as the secret, is secure on authenticator devices where it’s stored in a so-called Trusted Platform Module (TPM).

"These are hardware chips that are designed in such a way that they have no output for the secret," IT security specialist Jan Mahn told the DPA.

The private key is calculated once in the device and then stored there. When logging in, only the signature leaves the device, not the private key itself, Mahn explained.

A TPM with crypto chips is found in most smartphones today, as well as in newer PCs and notebooks. Microsoft has also made having a TPM a prerequisite for the installation of Windows 11.

Those who have an older computer or smartphone without a TPM can also store the private key on sticks that are connected using USB to a computer or NFC to a smartphone.

These sticks with built-in crypto chips are also called tokens and can not only replace the password in Fido 2, but can also, depending on the service, act as a second factor. This is because 2FA is also part of the Fido standards.

But what if you lose the smartphone on which the private key is stored? The official recommendation is to always have two devices registered with Fido 2.

The second device does not necessarily have to be a smartphone or a computer – a securely stored USB token also makes a good backup.

Keys in the cloud

A relatively new idea for solving the problem of lost keys and for even greater user-friendliness is to synchronize the private key in the cloud.

It can be stored on internet servers, but can also be synchronized over the network on any number of devices. This is how Apple, for example, is proceeding with its Fido 2 implementation.

In May this year, Apple, Google, and Microsoft jointly announced their intention to add further functions to Fido 2 by 2023. Users will be able to access their credentials automatically on various devices without having to log in again for each account.

With most Android, iOS, and macOS devices, but also under Windows, it's now very easy to use Fido 2 with existing hardware, Jan Mahn insisted

He advises using Fido 2 wherever possible, either as a password replacement or a second factor.

Cover photo: Unsplash/@impelling

More on the topic Tech: