Data Protection Academy » Data Protection Wiki » Passwordless authentication

Passwordless authentication via FIDO2, Webauthn and CTAP

Passwordless authentication via FIDO2

Passwords are hard to remember and usually not secure. Today, there are solutions that do without the combination of lower and upper case letters, numbers and special characters. In particular, experts in the field of data protection and information security have long since stopped using passwords to make access to systems much more secure.

Passwordless authentication is the current trend in IT security and a system that does not require the use of passwords at all. With passwordless authentication, the password is replaced by much more secure factors. In the following article, you can read why it is better to do without passwords yesterday rather than today and which common methods are available.

Most important information about passwordless authentication

  • The use of passwords poses many IT security risks and is increasingly being replaced by less vulnerable options
  • Passwordless authentication is one such option and is very secure using cryptographic key pairings
  • FIDO2 is a standard that uses passwordless authentication to enable strong passwordless authentication.
  • FIDO2 is a joint project of the FIDO Alliance and the W3C and combines the Client to Authenticator Protocol (CTAP) with the Web Authentication API (WebAuthn).

Why should you do without passwords?

There are several reasons for the decision not to use passwords:

  • The majority of weak passwords usedwhich users can remember (on the top places: "Password", "123456")
  • One password is usually used for multiple accounts is used: If third parties have gained access to the account via this password, they can log in to other accounts.
  • Passwords use unsafe methods MD5 (Rainbowtable attack)
  • Even complex Passwords are hackable: Hackers can crack passwords via various methods such as keylogging or phishing, even if users follow regulations, because the standard password requirements (e.g. 8 characters, 1 uppercase letter, 1 number) are no hurdle for software and algorithms and are combined within seconds
  • Password managers are vulnerable because even the initial password for logging into the password manager is hackable or can be chosen too weak by the user
  • The 2-factor authentication is a good option, but not as secure as passwordless authentication, because here too Phishing allow third parties unauthorised access to your applications, but the procedure is at least more secure than the verification via a password.
  • Password management is a time and cost factor in IT departments because passwords must be kept secure to reduce the risk of data protection mishaps, and employee inquiries about forgotten passwords must be resolved manually by resetting them.
Info

81 % of data breaches are based on weak or compromised passwords

2019, Data Breach Investigations Report, Verizon

How does passwordless authentication work?

Simply put, passwordless authentication is a method of verifying the user's identity without using a password. Thus, the most significant difference from password-based authentication is that no stored secrets are used to access systems in order to verify the user's identity.

With passwordless authentication, a key pair (a so-called "credential") is generated. This key pair always consists of a private and a public key. However, the public key functions more as a (public) lock that can only be opened with the private key. The combination of key and lock is unique per application and this increases the data security enormously.

Users who want to log in via passwordless authentication need either an "external authenticator" (e.g. a hardware token) or an "internal authenticator" (e.g. a fingerprint) to generate the key pair of private key and public lock. When the user logs in to a system, the user keeps the private key and the public key (or public lock) is sent to the system. The system the user wants to log in to uses the public key to decrypt the private key. If the encryption and decryption sequence works - when the private key fits into the public lock - it is verified that the user is also the owner of the private key. The login is successful.

The advantages of passwordless authentication

Passwordless authentication is more contemporary, optimised for mobile devices, more convenient and also saves costs compared to using passwords.

Increased security by eliminating passwords

Despite the BSI's advice on the use of passwords, user-controlled passwords always represent a risk and are vulnerable to attacks. This is because the requirements for passwords must not only be known to the user, but must also be adhered to by the user himself and at all times. If the password falls out of the login process, the risk or vulnerability for phishing attacks, password loss or password reuse is reduced and IT security is increased.

Convenient authentication via all channels

The use of traditional passwords implies an administrative burden on users, is outdated, and is not optimised for use on mobile devices (e.g., logging into the Apple store via fingerprint). Passwordless authentication is a far more efficient option and allows users to quickly log in to applications or devices.

Streamlined registration processes improve user experience

Registration or login via a password always means a certain hurdle on the user side. By using passwordless authentication methods, this hurdle is removed and users can access business e-mails or other applications without a password, for example.

Cost savings due to omission of passwords

The administration of passwords, as well as the changing of passwords to continuously generate their security, takes time and is often managed by IT teams. So does the password forgetting process, should users forget their password despite careful storage. Using passwordless authentication eliminates this cost.

Which methods of passwordless authentication are available?

There are now numerous passwordless authentication methods, the best known of which are TouchID, facial recognition and pattern recognition. These methods have been used as standard on mobile devices for years.

Fingerprint

Facial recognition

Pattern Recognition

Voice Recognition

SMS

E-mail

Social Login

WebAuthn

What is FIDO2?

The abbreviation FIDO2 stands for Fast IDentity Online and unites the joint work on a password successor by Google, Microsoft, Amazon, Paypal, Facebook, Visa and Mastercard. Since March 2019, the World Wide Web Consortium (W3C) has been working on a "web standard for secure, passwordless logins". This still quite young web standard is FIDO2 and is already used by browsers (Edge, Chrome, Firefox, Safari), operating systems (Android, Windows, iOS) and web services (Office 365).

Info

The FIDO Alliance is a non-commercial association of many companies (PayPal, Google, etc.) and develops open and license-free standards for secure, worldwide authentication on the Internet, such as the FIDO2 standard.

How does FIDO2 work?

The FIDO2 standard an authentication protocol and method for passwordless login, which aims to make login via passwordless authentication more secure and easier. For this purpose, FIDO2 uses a combination of the Client to Authenticator Protocol (CTAP) developed by the FIDO Alliance and the WebAuthn API developed by W3C.

The FIDO2 method is a challenge-response method that uses cryptographic key pairings called "credential" and factors such as biometric characteristics or hardware tokens. A private key is stored locally on the user's device and associated with an authentication factor such as a fingerprint. A public key is sent to the application the user wants to access. If these two keys match, the login is successful.

Passwordless authentication via FIDO2, Webauthn and CTAP

What are the requirements for using FIDO2 authentication?

The FIDO2 specification essentially needs the following components:

The most important features of FIDO2

  • The use of passwords for login is not necessary
  • Users log in using biometrics, FIDO security token or mobile devices
  • The private key never leaves the user's device
  • Only the public key for login is sent to applications
  • The encryption/final key sequence is done via the WebAuthn API

The advantages of FIDO2 over password authentication?

  • Enables authentication without password and cannot be corrupted
  • Protects the private key from access
  • Is a hardware
    • Cannot be hacked
    • Can be personalised
    • Can be used for any number of applications with one key
    • Works completely without login features
    • Is inexpensive (e.g. in contrast to a smartphone)

Products for the use of the FIDO 2 standard

What is WebAuthn?

The WebAuthn is the short form of the Web Authentication API written by the W3C and FIDO with participation from Google, Mozilla, Microsoft, Yubico and others. This API allows servers to register and authenticate users using public key cryptography instead of a password.

WebAuthn enables servers to integrate strong authenticators, which are already standard especially for mobile devices and will become more and more present in the future. Probably the best-known example is Apple's Touch ID for unlocking the iPhone. Instead of a password, a private-public key pair ("credential") is created for an application. The private key is stored securely on the user's device; a public key and randomly generated credential ID are sent to the server for storage. The server can then use this public key to prove the user's identity.

The public key is not secret because it is virtually useless without the associated private key. The fact that the server does not receive a secret has far-reaching implications for the security of users and organizations. Databases are no longer as attractive to hackers because the public keys are not usable to them.

How WebAuthn works

Basically, the WebAuthn protocol is responsible for the communication between the server and the user's system. The user registers once with his identity via the WebAuthn authentication method, on a local device or the application. Through this one-time process, the user's identity is linked to the device or application. Consequently, verification via a password is no longer necessary. If users use an external authenticator, such as a hardware token, it is sufficient to connect to the computer via USB. This works analogously with internal authenticators, e.g. by having the user scan the fingerprint on the end device. Each device and each application to which the user logs on from this point onwards uses individual key pairs.

What's CTAP?

Within the FIDO 2 standard, external authenticators can also be used for identification. For this purpose, hardware tokens (via USB) or smartphones (via NFC / Bluetooth) are usually connected to the user's terminal device.

The Client to Authenticator Protocol (CTAP) is responsible for the communication between the hardware token and the user's system. The CTAP2 protocol is used specifically for communication with WebAuth.

The user-to-authenticator protocol ensures that there is successful authentication between the authenticator (e.g., the hardware token) and the user's terminal device or the application to which the user wants to log in.

For more information on CTAP, please visit the Fido Alliance website.

Info

CTAP is also known as Universal 2nd Factor (U2F) and refers to two-factor authentication.

Info

CTAP2 in combination with WebAuthn makes FIDO 2 work

Implementation of passwordless authentication in Robin Data software

Robin Data has implemented FIDO2 technology into Robin Data software because we believe it is secure, privacy protecting, easy to use for everyone, cost effective and forward thinking. This makes it possible to log in to the Robin Data app without using the insecure password and by using a security key.

We show exactly how this works in the Help Center and in the following video:

Conclusion: Passwordless authentication is a secure alternative and FIDO2 is the new standard for secure web log-in.

A data breach is a huge loss of trust for any business. If customers feel that their personal data is not being processed securely, the worst case scenario could be customer loss. Of all cyberattacks, 81 percent are due to corrupted passwords. However, this risk factor is completely unnecessary and can be easily eliminated. It's time to do away with password-based authentication. Passwordless authentication via FIDO2 is already an established standard among corporate giants like Google, Microsoft, and Apple. It is currently one of the most secure authentication methods that can be deployed cost-effectively.

Caroline Schwabe
Latest posts by Caroline Schwabe (see all)

This might interest you too:

Data Protection Breaches
Attackers are exploiting various vulnerabilities and attacking Microsoft Exchange Server. Read what companies need to do now!
Data protection Data security Home office
What do employers and employees need to be aware of? Concrete tips on data protection and advice on data security.
Privacy Microsoft Windows 7
As of 14.01.2020 there are no more security updates. Find out why this means a high risk for data protection and IT security.