without a password with FIDO2

FIDO2 Authentication

German version available

FIDO2 is on everyone’s mouth at the moment. The new standard of the Alliance for Fast IDentity Online (FIDO) is becoming a real alternative for the unpopular passwords. And because the FIDO2 standard is also favored by the World Wide Web Consortium (W3C), you should take a closer look at it.


Passwords always have the disadvantage that they are only secure as long as they are a secret. The whole idea of Password authentication is based on the concept that I tell a service my secret, and that it can check the secret. For example, a hash (a kind of cross sum) is formed from the password and it is compared to a stored hash. With a suitable hash algorithm, I can say with identical password hashes that the supplied password and the stored password, respectively the hash are identical. The problem: my password secret is difficult to manage. I can forget it, or someone can just spy on it and then use it himself. Sometimes a server operator loses it at a hacker attack.

FIDO takes a different path. The secret is managed on a security chip, FIDO calls the combination of a security key and the software an authenticator. This can be an external token or a Platform Authenticator, as in Windows 10 or Android. Each FIDO identity has an individual secret, a random number that cannot be read. From this secure secret, the authenticator creates an asymmetric key pair when it logs on and registers for a service. The authenticator calculates the secret key from the domain of the Web service and its secret. From this, the public key can then be derived simply.

This means the authenticator does not need to store the crypto keys of a service. It can recalculate them again and again when used! When registered, a web service stores only the public key in the cloud. The secret remains with me securely.

Each time a service is logged on, the requested server sends a challenge to the authenticator in the form of a random number. This number is digitally signed and returned with the secret key that matches the service. The server can then verify the digital signature using the public portion of my key stored during registration. If the data is correct, the service can be sure that I have actually logged in.


FIDO does things differently and has good approaches to respond to the annoying topic of eavesdropping, phishing and password theft. Each time you sign in, a different challenge is transferred and signed. This makes it useless to listen on the wire. And even if the connection is cut, the secret never crossed the line. Replay attacks are impossible. The password itself was never transferred.

Hackers who have stolen large password databases will not be able to do anything with the public keys, because the secret lies with the user in a security key.

And a Trojan that wants to steal my security key from my computer doesn’t get the security key. This is securely stored in the chip and cannot be extracted. If a Trojan tries to force a login with a FIDO key silently in the background, it will not go unnoticed. The standard requires that the security keys request a user-by-user scan when used. To do this, the tokens flash when there is a request to calculate a key. And only when the user touches the golden contact surface will this be accepted as consent. The standard calls this „User Present“ (UP). For increased security requirements, even more complex acknowledgments, such as a PIN or a biometric characteristic, can be required. Android and Windows 10 use this type of user verification (UV) to prevent a stolen security key from being misused by a stranger.

I find the only vulnerability in the concept of FIDO is the danger that my key will be stolen from me. The more services that switch to FIDO, the more identities will be on my key. You will simply have to protect this key just as much as you need your own front door key. Windows‘ approach of additionally protecting the security key with a Windows Hello query effectively prevents abuse. Overall, FIDO raises the hurdle for identity theft. An attack remotely only over the Internet is no longer possible with FIDO!

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

Du kommentierst mit Deinem Abmelden /  Ändern )


Du kommentierst mit Deinem Twitter-Konto. Abmelden /  Ändern )


Du kommentierst mit Deinem Facebook-Konto. Abmelden /  Ändern )

Verbinde mit %s

Diese Seite verwendet Akismet, um Spam zu reduzieren. Erfahre, wie deine Kommentardaten verarbeitet werden..