What is Fido2 actually?
Fido2 is a new way to register and log in to web services. It can either be used instead of a password or additionally, as a second factor.
You need a so-called authenticator for this purpose: You can get it in the form of a USB stick, for example, which you can attach to your keychain. When logging in, simply plug the stick into the computer and press the button on the stick to authenticate to the service.
Under Windows, Android and limited also under macOS it works even without additional hardware, since the operating systems work themselves as virtual Authenticatoren.
Depending on how a service has implemented Fido2, the stick is sufficient for logging in (one-factor authentication) or you also have to enter a pin or password (two factors). Both variants are much safer than relying solely on the password.
What do terms like Authenticator, Token and Security Key mean?
The Fido2 stick has many names. When you speak of the authenticator, token, or security key, what is meant is the device with which you authenticate to the services. It can be an external device that connects to your PC or smartphone via USB, NFC, Bluetooth or Lightning. These devices usually have the form factor of a USB stick or key fob. The Fido2 stick works as an external authenticator.
In addition, there are internal authenticators. This means a software that uses the crypto chip of your PC, smartphone or tablet for Fido2. You can save yourself the purchase of a Fido2 stick. As an internal authenticator Windows 10 and Android can work from version 7, on macOS it works in combination with Google's Chrome browser.
The secret crypto key is the secret stored in your token. You can think of it as a random string that only knows your token. This secret can not be read or copied.
Where can I use Fido2 now?
Logging in without a password already works with Microsoft.com and its associated services, such as Outlook.com, Office 365 and OneDrive, if you use the Browser Edge. For many other services, you can set Fido2 as the second factor. Then you benefit from the protection against phishing attacks and the like, but still have to enter your password. This works for example at Google, GitHub, Dropbox, Twitter and BoxCryptor. You can try it out, for example, on the demo page WebAuthn.io.
Can I register multiple security keys for a service?
Yes, that is possible and even highly recommended. Because if you lose one of them, you still have a second one that you can use to log in and lock the lost security key.
Can not I just steal such a USB security key?
Yes, that is possible in principle. Just as someone could steal your car or apartment key. Then it is important to block access to the accounts used as quickly as possible.
A key advantage over passwords is that theft is no longer virtually possible. It is no longer enough if the Cybermafia gets hold of millions of passwords with a Trojan or breaking into a server. Somebody has to steal a security key locally and abuse it. Ultimately, this is unattractive for cybercrime.
Can I protect myself against the theft of my security key?
Yes, this is explicitly provided for in the Fido2 standard. Thus, the built-in virtual keys in Windows and Android are always protected by a second factor, such as a fingerprint or a pin that prevent use by strangers.
There are also USB tokens that require such a second factor. So you can lock the Yubikeys of Yubico with an additional pin that you have to enter to use the security key. From Feitian there are USB tokens with built-in fingerprint scanner.
How do I get my accounts if I lose my stick or was stolen?
This is a weak point of the current concept. There are still many questions left in this area. In particular, much depends on how the services actually implement that. Two variants crystallize out.
- Accounts with high security requirements (payment, e-mail, etc.): Here you have to prove otherwise secure when losing the stick. So either with a second key that you have registered as a precaution, with a backup code, a code to the stored mobile number, possibly in combination with an e-mail authorization or similar.
- Accounts with not so high standards (forums, shops and the like): There will probably be a simple reset via a stored e-mail address or mobile number. That's also reasonable, because you do not have to secure every forum account like Fort Knox. The focus is rather on the comfort and low maintenance of the operator.
How robust are USB tokens?
The tokens are designed to be worn on a keychain. For example, we have had very good experiences with the Yubikeys in this regard. They also survive several years of harsh use on keychain and then show significant signs of wear, but still work fine.
Can I back up my token?
No, that is not explicitly possible - and that's a good thing. The Fido2 tokens can not be copied, and the secret crypto keys stored on them can not be read either. A Fido2 security key is always unique. That is also the basic idea behind Fido2. This makes the tokens much safer than passwords: a Trojan can pick up your password, but not the secret crypto key of your Fido2 token. In order to continue accessing your accounts in the event of a loss or hardware failure, you must set a second authentication option, for example, by training a second token or printing backup codes.
How can I use Fido2 on my Android smartphone?
You need Android 7 or higher. In addition, the Google Play services must be up to date, as Google distributes the function via an update of the services to the devices. In order to receive the update and make the services work properly, you must have set up a Google Account. If it still fails, your Android device may lack a "secure element" that would manage the crypto key used by Fido2.
Can I use my smartphone as a security key for the PC?
Theoretically yes, practically no. From a technical point of view, almost any device can act as a Fido2 token over Bluetooth, NFC or USB, as long as they take care of the secure storage of the secret key. A smartphone would be ideal for this because it is usually equipped not only with Bluetooth, but also with a secure element for the crypto operations. Even smartwatches would be well suited. So far, however, lacks the appropriate software.
Google is already experimenting with this idea. If you configure the Google account accordingly, the Google site opened on the PC connects to the smartphone when you log in via Bluetooth. The crypto operations then take place on the smartphone. In the long term, it is conceivable that Google will install this feature in Android and the smartphone will also be usable for other services as an external authenticator.
Can I also use Fido2 with macOS and iPhone?
As a macOS user, you can easily use Fido2 sticks with Chrome and Firefox. Safari only supports the standard with rudimentary functionality. The sticks work with it, but there are still missing in the user interface, the corresponding dialogues. Google Chrome is already there under macOS: Who has a MacBook with fingerprint sensor (Touch ID), can even use the computer as a security key.
On iOS, there is only the detour via the Fido2-stick YubiKey 5 Ci from Yubico. It has a USB-C and a Lightning connector. The choice of browsers is extremely limited: Currently, only the browser "Brave" (open source software) can use the stick. Read here the c't test of the YubiKey 5 Ci.
How about Linux?
On Linux, you can use your Fido2 stick as well as any other operating system. The key is that the browser supports the Webauthn API. Most current browsers like Firefox and Google Chrome are already Fido2-ready.
If it does not work, you should check if you have the latest browser version installed. There are already first attempts to use the TPM module of the computer as an internal authenticator under Linux. You could then do without the use of an external Fido2 token. However, there is currently no stable implementation.
Can not I be tracked on the net if I use the same security key everywhere?
When developing the Fido2 standard, care was taken to ensure that this was not possible. The security key generates a separate key pair for each service, based on the domain of the other party. Thus, for example, Ebay and Google can not determine which of their users use the same security key.
There is an optional recognition mechanism in which the server asks the key to additionally submit its serial number. The user must agree to this request in a separate dialogue. Secret tracking is therefore not possible. The function is intended for example for the enterprise environment, if for example only security keys of a certain manufacturer are to be used.
Will my fingerprint be transferred to Google & Co. if I identify with it?
No, that does not happen. Neither the pin, nor the fingerprint or facial scan are used for the actual registration with a service. These data remain strictly local to the security key. It just proves to the security key that you are actually the right user.
How do I enable my users to log in to my website via Fido2?
This works with manageable effort and without investment. There are many WebAuthn open source implementations that you can build into your web service with some skill. As a basis you can, for example, take our project written in Go.