Data Protection Academy » Data Protection Wiki » Passwordless authentication
Passwordless authentication via FIDO2
Passwords are hard to remember and usually not secure. Today, there are solutions that do without the combination of lower and upper case letters, numbers and special characters. In particular, experts in the field of data protection and information security have long since stopped using passwords to make access to systems much more secure.
Passwordless authentication is the current trend in IT security and a system that does not require the use of passwords at all. With passwordless authentication, the password is replaced by much more secure factors. In the following article, you can read why it is better to do without passwords yesterday rather than today and which common methods are available.
Most important information about passwordless authentication
- The use of passwords poses many IT security risks and is increasingly being replaced by less vulnerable options
- Passwordless authentication is one such option and is very secure using cryptographic key pairings
- FIDO2 is a standard that uses passwordless authentication to enable strong passwordless authentication.
- FIDO2 is a joint project of the FIDO Alliance and the W3C and combines the Client to Authenticator Protocol (CTAP) with the Web Authentication API (WebAuthn).
Contents for passwordless authentication
Why should you do without passwords?
There are several reasons for the decision not to use passwords:
- The majority of weak passwords used, die sich Nutzer merken können (auf den vorderen Plätzen: “Passwort”,“123456”)
- One password is usually used for multiple accounts is used: If third parties have gained access to the account via this password, they can log in to other accounts.
- Passwords use unsafe methods MD5 (Rainbowtable attack)
- Even complex Passwords are hackable: Hackers can crack passwords via various methods such as keylogging or phishing, even if users follow regulations, because the standard password requirements (e.g. 8 characters, 1 uppercase letter, 1 number) are no hurdle for software and algorithms and are combined within seconds
- Password managers are vulnerable because even the initial password for logging into the password manager is hackable or can be chosen too weak by the user
- 2-factor authentication is a good option, but not as secure as passwordless authentication, because here too Phishing allow third parties unauthorised access to your applications, but the procedure is at least more secure than the verification via a password.
- Password management is a time and cost factor in IT departments because passwords must be kept secure to reduce the risk of data protection mishaps, and employee inquiries about forgotten passwords must be resolved manually by resetting them.
2019, Data Breach Investigations Report, Verizon
How does passwordless authentication work?
Simply put, passwordless authentication is a method of verifying the user's identity without using a password. Thus, the most significant difference from password-based authentication is that no stored secrets are used to access systems in order to verify the user's identity.
Bei der passwortlosen Authentifizierung wird ein Schlüsselpaar (ein sogenanntes “Credential”) generiert. Dieses Schlüsselpaar besteht immer aus einem privaten und einem öffentlichen Schlüssel. Dabei funktioniert der öffentliche Schlüssel allerdings eher als (öffentliches) Schloss, welches nur mit dem privaten Schlüssel geöffnet werden kann. Die Kombination aus Schlüssel und Schoss ist einmalig pro Anwendung und eben dass erhöht die Datensicherheit enorm.
Benutzer die sich über die passwortlose Authentifizierung anmelden wollen, benötigen dazu entweder einen “externer Authentifikator” (bspw. einen Hardware-Token) oder einen “internen Authentifikator” (bspw. einen Fingerabdruck) um das Schlüsselpaar aus privatem Schlüssel und öffentlichem Schloss zu generieren. Meldet sich der Benutzer bei einem System an behält dieser den privaten Schlüssel und der öffentliche Schlüssel (bzw. das öffentlich Schloss) wird an das System gesendet. Das System bei dem sich der Benutzer anmelden möchte nutzt den öffentlichen Schlüssel, um den privaten zu entschlüsseln. Sollte die Sequenz aus Verschlüsselung und Entschlüsselungssequenz funktioniert – als der private Schlüssel in das öffentlich Schloss passen – ist verifiziert, dass der Benutzer auch der Besitzer des privaten Schlüssels ist. Der Login ist erfolgreich.
The advantages of passwordless authentication
Passwordless authentication is more contemporary, optimised for mobile devices, more convenient and also saves costs compared to using passwords.
Increased security by eliminating passwords
Despite the BSI's advice on the use of passwords, user-controlled passwords always represent a risk and are vulnerable to attacks. This is because the requirements for passwords must not only be known to the user, but must also be adhered to by the user himself and at all times. If the password falls out of the login process, the risk or vulnerability for phishing attacks, password loss or password reuse is reduced and IT security is increased.
Convenient authentication via all channels
The use of traditional passwords implies an administrative burden on users, is outdated, and is not optimised for use on mobile devices (e.g., logging into the Apple store via fingerprint). Passwordless authentication is a far more efficient option and allows users to quickly log in to applications or devices.
Streamlined registration processes improve user experience
Registration or login via a password always means a certain hurdle on the user side. By using passwordless authentication methods, this hurdle is removed and users can access business e-mails or other applications without a password, for example.
Cost savings due to omission of passwords
The administration of passwords, as well as the changing of passwords to continuously generate their security, takes time and is often managed by IT teams. So does the password forgetting process, should users forget their password despite careful storage. Using passwordless authentication eliminates this cost.
Which methods of passwordless authentication are available?
There are now numerous passwordless authentication methods, the best known of which are TouchID, facial recognition and pattern recognition. These methods have been used as standard on mobile devices for years.
Fingerprint
Facial recognition
Pattern Recognition
Voice Recognition
SMS
Social Login
WebAuthn
What is FIDO2?
The abbreviation FIDO2 stands for Fast IDentity Online and unites the joint work on a password successor by Google, Microsoft, Amazon, Paypal, Facebook, Visa and Mastercard. Since March 2019, the World Wide Web Consortium (W3C) has been working on a "web standard for secure, passwordless logins". This still quite young web standard is FIDO2 and is already used by browsers (Edge, Chrome, Firefox, Safari), operating systems (Android, Windows, iOS) and web services (Office 365).
How does FIDO2 work?
The FIDO2 standard an authentication protocol and method for passwordless login, which aims to make login via passwordless authentication more secure and easier. For this purpose, FIDO2 uses a combination of the Client to Authenticator Protocol (CTAP) developed by the FIDO Alliance and the WebAuthn API developed by W3C.
Das FIDO2 Verfahren ist ein Challenge-Response-Verfahren, das kryptografische Schlüsselpaarungen sogenannt “Credential” und Faktoren wie biometrische Merkmale oder Hardware-Token nutzt. Ein privater Schlüssel wird lokal auf dem Gerät des Benutzers gespeichert und mit einen Authentifizierungsfaktor wie bspw. den Fingerabdruck verknüpft. Ein öffentlicher Schlüssel wird zu der Anwendung gesendet, auf die der Benutzer zugreifen möchte. Passen diese beiden Schlüssel zueinander, ist die Anmeldung erfolgreich.
What are the requirements for using FIDO2 authentication?
The FIDO2 specification essentially needs the following components:
- The W3C standard WebAuthn
- The Client to Authenticator Protocol (CTAP)
The most important features of FIDO2
- The use of passwords for login is not necessary
- Users log in using biometrics, FIDO security token or mobile devices
- The private key never leaves the user's device
- Only the public key for login is sent to applications
- The encryption/final key sequence is done via the WebAuthn API
The advantages of FIDO2 over password authentication?
- Enables authentication without password and cannot be corrupted
- Protects the private key from access
- Is a hardware
- Cannot be hacked
- Can be personalised
- Can be used for any number of applications with one key
- Works completely without login features
- Is inexpensive (e.g. in contrast to a smartphone)
Products for the use of the FIDO 2 standard
- Use of Fido-certified products: https://fidoalliance.org/certification/fido-certified-products/
- Sample Security Keys: Yubikey, SoloKey, NitroKey...
- Biometrics: Touch ID, Face ID
What is WebAuthn?
The WebAuthn is the short form of the Web Authentication API written by the W3C and FIDO with participation from Google, Mozilla, Microsoft, Yubico and others. This API allows servers to register and authenticate users using public key cryptography instead of a password.
WebAuthn ermöglicht Servern die Integration von starken Authentifikatoren, die jetzt schon Standard insbesondere bei mobilen Endgeräte sind und auch künftig immer präsenter werden. Das wohl bekannste Beispiel ist die Apples Touch ID zum Entsperren des IPhones. Anstelle eines Passworts wird ein privat-öffentliches Schlüsselpaar (“Credential”) für eine Anwendung erstellt. Der private Schlüssel wird sicher auf dem Gerät des Benutzers gespeichert; ein öffentlicher Schlüssel und eine zufällig generierte Credential-ID werden zur Speicherung an den Server gesendet. Der Server kann dann diesen öffentlichen Schlüssel verwenden, um die Identität des Benutzers zu beweisen.
The public key is not secret because it is virtually useless without the associated private key. The fact that the server does not receive a secret has far-reaching implications for the security of users and organizations. Databases are no longer as attractive to hackers because the public keys are not usable to them.
How WebAuthn works
Basically, the WebAuthn protocol is responsible for the communication between the server and the user's system. The user registers once with his identity via the WebAuthn authentication method, on a local device or the application. Through this one-time process, the user's identity is linked to the device or application. Consequently, verification via a password is no longer necessary. If users use an external authenticator, such as a hardware token, it is sufficient to connect to the computer via USB. This works analogously with internal authenticators, e.g. by having the user scan the fingerprint on the end device. Each device and each application to which the user logs on from this point onwards uses individual key pairs.
What's CTAP?
Within the FIDO 2 standard, external authenticators can also be used for identification. For this purpose, hardware tokens (via USB) or smartphones (via NFC / Bluetooth) are usually connected to the user's terminal device.
The Client to Authenticator Protocol (CTAP) is responsible for the communication between the hardware token and the user's system. The CTAP2 protocol is used specifically for communication with WebAuth.
The user-to-authenticator protocol ensures that there is successful authentication between the authenticator (e.g., the hardware token) and the user's terminal device or the application to which the user wants to log in.
For more information on CTAP, please visit the Fido Alliance website.
Implementation of passwordless authentication in Robin Data software
Robin Data has implemented FIDO2 technology into Robin Data software because we believe it is secure, privacy protecting, easy to use for everyone, cost effective and forward thinking. This makes it possible to log in to the Robin Data app without using the insecure password and by using a security key.
We show exactly how this works in the Help Center and in the following video:
Conclusion: Passwordless authentication is a secure alternative and FIDO2 is the new standard for secure web log-in.
A data breach is a huge loss of trust for any business. If customers feel that their personal data is not being processed securely, the worst case scenario could be customer loss. Of all cyberattacks, 81 percent are due to corrupted passwords. However, this risk factor is completely unnecessary and can be easily eliminated. It's time to do away with password-based authentication. Passwordless authentication via FIDO2 is already an established standard among corporate giants like Google, Microsoft, and Apple. It is currently one of the most secure authentication methods that can be deployed cost-effectively.
- Internal control system - 10 September 2024
- TISAX requirements: Prepare certification step by step - 8 January 2024
- Audit management: Implementing audits more efficiently - 26 October 2023