World Password Day: FIDO standard to replace passwords

Enlarge image

This is what online registration could look like in the future (icon image)

Photo: FIDO Alliance

Because this Thursday is World Password Day, we could show you how to come up with good passwords and some strategies to avoid forgetting them.

But we did that ten years ago and again not too long ago.

We could also explain how to use apps called password managers that generate passwords and remember them right away, just like we've done in this article and in this one.

Above all, we could remind you that a so-called two-factor authentication is much better than any password, no matter how good it is, because it takes a second factor into account when logging in, such as an SMS to your mobile phone.

But we did that five years ago and remembered it last year.

However, we are constantly reminded that not all internet users read our or other articles about strong passwords and even more secure two-factor logins, or take them seriously.

This is when lists of the most popular – and weakest – passwords are compiled each year.

There is no other way to explain why »123456« is still a perennial favorite on these lists, as we reported shortly before Christmas 2021.

And the year before that, the year before that, and the year before that.

You just have to look at it realistically: good passwords are inconvenient, as are secure log-in methods.

The BSI is already there

But that could slowly change if what the FIDO Alliance came up with together with “hundreds of technology companies and service providers from all over the world” works out.

All the more so since the three big tech companies – Apple, Google and Microsoft – played a leading role in it.

Because you no longer need passwords to log in with FIDO, just a digital security key.

And dealing with exactly that should now be much more convenient.

In case you don't know FIDO: The abbreviation has stood for

Fast

entity

for a good decade .

Behind it are several hundred companies and organizations that are jointly developing standards for secure passwordless login to online services and apps.

In addition to the companies mentioned above, Visa and Mastercard, Huawei and Netflix as well as the German Federal Ministry for Information Security (BSI) are among them.

Nobody knows your secret

What makes FIDO so special: Instead of using passwords and second factors that can be stolen or hijacked by criminals, it uses cryptographic methods to protect its users' log-in data.

The basis for this is a cryptographic master key, on the basis of which a separate key is generated for each service, app and website.

This can be stored, for example, on a USB dongle or in a secure memory area of ​​a smartphone.

A second, public key is now generated for every website and every app that you log into with FIDO.

Log-in is only possible if both keys match.

With FIDO, criminals are no longer of any use if they steal log-in data from a website.

Without the user's private key, the public keys are worthless.

Phishing attempts also come to nothing.

If a fake e-mail is used to lure you to a fake website in order to log in, the system generates its own public key for it.

At best, the perpetrators could access the necessary data to register on their own fake website, but they would not have access to the original.

Too complicated

So far, FIDO is best known for USB dongles with fingerprint sensors, such as those from Yubikey.

You can use them to log into your company e-mail account, for example, by identifying yourself with your fingerprint.

However, FIDO technology is also built into browsers such as Chrome and Edge and operating systems such as Windows, Android, iOS and macOS.

Nevertheless, FIDO has so far been used primarily by large companies whose IT departments take care of equipping the employees' devices with it.

The fact that the technology has so far hardly caught on with private individuals is mainly due to its user-friendliness - or rather a lack of it - says Andrew Shikiar, Executive Director of the FIDO Alliance, in an interview with SPIEGEL.

The cloud is the key

Because up to now you just needed a USB dongle or every device with which you want to register with a service had to be registered there.

In the future, however, you should be able to access your FIDO access data from several devices via the cloud.

A backup of the private key would be stored in the cloud so that it can be accessed from other devices, Shikiar explains.

The second innovation is that you can use your smartphone to log into websites and services.

It is sufficient if the mobile phone is close to the device being used, says Shikiar.

Which browser or which operating system you use is irrelevant.

It is only important that the devices are connected via Bluetooth.

The smartphone then serves as a key carrier, which in turn identifies you biometrically as the rightful user.

No matter which of these methods you use, you will no longer need passwords in the future, at least not for services that support FIDO.

Which is not to say that you can start with it tomorrow.

While FIDO technology is already being used by many companies, it will be some time before Apple, Google and Microsoft have integrated the new functions announced on Thursday into their operating systems and cloud services.

FIDO manager Shikiar estimates a maximum of 18 months.