How do you currently register for and log into Internet/online services? Do you use a password that at least meets the complexity requirements, i.e. the golden password rules? Or are you already using the FIDO key? FIDO means “Fast IDentity Online”. In other words, fast identification with digital connections for completely passwordless registration on platforms. Identity theft is big business these days, and phishing and data leaks from hacked or badly-administered servers have become sadly all too familiar, as also clearly demonstrated by the recently-published Bitkom study dated November 6, 2019 – Economic Protection in the Digital World.
Side note: phishing
Phishing is the attempt to gain access to data such as log-ins or passwords using fake e-mails, websites or text messages. With this technology, cybercriminals can obtain sensitive information from companies or inject malware into their systems relatively easily.
The non-commercial FIDO Alliance was launched in July 2012 and officially founded in February 2013 to work with many different companies to develop open and royalty-free industry standards for global authentication on the Internet. Under this umbrella, Google, Microsoft, Facebook, Amazon, PayPal, Visa, Mastercard and others are working to establish a web standard for secure, passwordless logins.
A FIDO key is always unique and therefore cannot be copied. If this were not the case, it would represent a security risk. This is also the fundamental idea behind the FIDO Alliance.
The wonderful thing about a FIDO key
A FIDO key can be used instead of a password or additionally as a second factor. Logging in without a password already works with Microsoft.com and associated services such as Outlook.com, Office 365 and OneDrive – but only if Edge is used. With Google, GitHub, Dropbox, Twitter and BoxCryptor, the FIDO key can be used as a second factor (two-factor authentication at the touch of a button). You are then protected against phishing, etc. but still have to enter your password. You can see how this works on the demo page https://webauthn.io/
FIDO offers the possibility to further increase security as desired – up to the requirements of high-security environments. Fingerprint or biometric data is only used for actual registration with a service. This data remains strictly local on the security key and proves the identity of the user (user verification). Consequently, the process entails higher costs coupled with reduced comfort. But even at the lowest security level, FIDO security keys are much more convenient and secure than normal passwords could ever be.
Traces on the net?
The question that then arises, of course, is whether a user can be tracked using a security key, especially if they use the same security key everywhere. Although there is an optional recognition mechanism whereby the server asks the key to provide its serial number, the user must agree to this request in a separate dialog. Secret tracking is therefore impossible. The security key generates a separate key pair for each service, based on the domain of the other party.
What to do if a FIDO key is stolen
If you lose your FIDO key, it’s important that you block access to the accounts associated with it as quickly as possible. This applies even if the built-in virtual keys in Windows and Android are always protected by a second factor. Such as a fingerprint or a PIN – that prevents them from being used by others. The great thing here is that cybercriminals can no longer get hold of millions of passwords with a Trojan. Or by breaking into a server. Someone has to actually physically steal the FIDO key and then misuse it. However, this isn’t something that appeals to cyber criminals as it’s no longer big business for them. With access limited to individual accounts.
Maybe now is a good time, therefore, to add a FIDO key to your Christmas list and try it out?
To be continued with application examples from industry.