FIDO2: The Dream Of Password-Free Authentication On The WWW

Of all the things which are annoying about the modern World Wide Web, the need to create and remember countless passwords is on the top of most people’s lists. From dozens of passwords for everything from social media sites to shopping, company, and productivity-related platforms like Github, a large part of our day is spent dealing with passwords.

While one can totally use a password manager to streamline the process, this does not absolve you from having to maintain this list and ensure you never lose access to it, while simultaneously making sure credentials for the password manager are never compromised. The promise of password-less methods of authentication is that of a world where one’s identity is proven without hassle, and cannot ever be stolen, because it relies on biometrics and hardware tokens instead of an easily copied password.

The FIDO2 project promises Web Authentication that means never entering a password into a website again. But like everything, it comes with some strings attached. In this article, we’ll take a look at how FIDO2 plans to work and how that contrasts with the state of security in general.

Web of Trust

The scope of online security goes far beyond the connection between a server and client. It starts with one’s own system(s), and from there spirals outward to systems and individuals who are ever less known to you and as a direct result less trustworthy. The assumption is made that one’s own systems are safe and secure, with every part of it known and audited. This implies that storing secrets on these systems is acceptable.

In the immediate circles near these systems one can find entities which are deemed relatively trustworthy, such as a major shopping site or your financial institution’s online banking features. The general assumption there is that they do their utmost to secure their systems, if only because of the (financial) repercussions when something does go wrong, so we trust that they got their servers in a state comparable to our own. That’s why you don’t mind trusting them with sensitive information, like control over your bank account, or your credit card information.

The web of trust doesn’t necessarily focus on how easy it is to establish a secure connection between you and another entity. Eminently more important are the questions of whether you can trust this entity with your information, and how secure this ‘secure’ connection actually is.

How We Determine Identity

An essential part in establishing a secure communication link is in determining the other side’s identity. This is where security certificates come into play: based on a root certificate that is provided by some trusted authority, one can determine with relative certainty that the remote side is what it says it is. Here one implicitly trusts the root authority.

In multi-factor authentication terms, the remote service’s security certificate counts as ‘something one has’, as in a secret object. What one provides with a password-based login is ‘something one knows’. Two-factor authentication schemes involving ‘something one knows’ and ‘something one has’ are usually based around a physical object (key) and an access code that allows this key to be used.

Examples of this include an ATM card and the PIN code linked to it, or a hardware device that generates a code after entering the PIN, such as commonly used with online banking. Combining a phone number (to send a text message with a code) or email address with password-based login is also very common for two-factor log-in schemes.

The Premise of FIDO2

The FIDO2 project is a joint effort between the FIDO (Fast IDentity Online) Alliance and the World Wide Web Consortium (W3C). It’s a continuation of previous projects, notably FIDO Universal 2nd Factor (U2F) protocol, which involves a USB-based hardware token (‘Something you have’) that acts as a hardware-based authenticator. FIDO2 is similar, but adds multi-factor authentication.

At the core of FIDO2 lies the WebAuthn (Web Authentication) standard, which defines a number of requirements for a conforming website, browser and compatible authenticator. In essence it’s a public key-based security scheme, whereby one has to register a device that will function as the authenticator. This can be a laptop with a fingerprint scanner, Windows Hello, Apple FaceID, or a smartphone with such biometrics options. Alternatively a PIN code can be used instead of biometrics.

In addition to this, CTAP (Client To Authenticator Protocol) allows one to link a device like a smartphone with a laptop to act as an authenticator for the browser on the laptop using NFC, USB or BLE (if supported). Regardless of the setup, there’s always the remote service with which one registers or already has registered the authenticator device. This is similar to how one would register their public SSH key at a site like Github, yet this also means that you would want to register two or more authenticators for a service, in case one is lost, stolen or otherwise becomes unavailable.

Here the device is ‘What you have’, while biometrics would be ‘What you are’, or alternatively a PIN code or similar could provide ‘What you know’.

Welcome to the 90s

The OpenSSH logo.

Outside of the world of browsers, password-free logins have been common-place for a long time courtesy of little known technologies such as SSH (Secure Shell), which since its creation in 1995 has allowed users to log into remote systems without ever entering a password. This is an essential part of crucial infrastructure, allowing automated tasks to communicate with remote systems over secure links without requiring a human being (AKA a sysadmin or intern) to enter a password every time a new connection is made.

These days this distinction is very noticeable for example on sites like GitHub, where the interaction with the Git repositories on the GitHub servers can be performed either via secure HTTP (requiring a username and password) or SSH (password unneeded after unlocking the private key). Here having a password manager that is unlocked the moment one logs into one’s PC allows for essentially password-free interaction with such secure remote services.

Biometrics: A Public Secret

One big premise behind eradicating the use of passwords is that they are supposedly insecure, with biometrics being far superior. This is why systems such as facial recognition, fingerprint recognition, as well as iris and palm vein scanning have become hugely popular, especially smartphones providing at least a fingerprint sensor (though Apple ditched it in favor of facial recognition because of aesthetics).

Graphic courtesy of the Electronic Frontier Foundation.

Unfortunately, fingerprint scanners are hopelessly inaccurate, as we have covered recently as well. The main reason behind fingerprint sensors being added to smartphones has been to make unlocking it less of a bother for phone junkies who will reach for their phone on average 52 times a day, according to a 2018 study by Deloitte. A simple thumb or finger pressed on a sensor or quick glance at the front camera to unlock the device would seem like a godsend at that point.

Facial recognition doesn’t score much better when it comes to security than fingerprints, either. Apple’s high-profile Face ID has big problems distinguishing between twins, family members and children, according to a security paper Apple released a few years ago. This paper notes that in the case of twins, siblings who look alike and children under the age of 13 one should not use Face ID for security reasons.

Another two strikes against biometrics are that they are non-revocable (you’re stuck with them for life), and that they are not a secret as such. While they are a part of you, you also carry around your face in public, leave your fingerprints on everything you touch, leave your irises wide open to scanning, not to mention the number of times you rest your palms on a surface that could contain a scanner.

By making the copying of biometrics and defeating their scanners ever more profitable, we might risk unleashing a rush to develop ever more sophisticated technology to get around biometrics, rapidly degrading it as a security option.

What You Don’t Have Any More

Clearly the security benefits of moving everyone from passwords to what will essentially be a biometrics wet dream should be questioned as being doubtful at best. At the horizon looms a future in which one’s smartphone could be stolen and unlocked using the same fingerprints which you have left all over the device, after which all of your online accounts will be open to whoever now has the device. It’s like writing your PIN code on the ATM card, just with more biological proteins and sophisticated technology involved.

Losing the authenticator device also means that you instantly lose access to every single online account that requires 2FA. It’s possible you planned for this and you also set up your laptop as an authenticator, or you have a second (smartphone) device around that you also registered. If you’re lucky enough to be in this group, you’d next be rushing around, logging into every serviced you registered with to unlink the device that was stolen.

Costs and Benefits

When it comes down to it, passwords have a number of distinct advantages:

  • They’re easy to change.
  • One can have a unique password for each service.
  • Password managers make remembering passwords unnecessary.
  • They’re unknown to everyone but you.

With a system like what FIDO2 proposes with Web Authentication, one would have the same device for all services, no ability to change this identifier (device) and a ‘secret’ to unlock it which is both not a secret and increasingly easier to copy.

Adding a password in KeePass.

Realistically speaking, what Web Authentication offers is a single sign-on service using biometrics, PIN code or some gesture-based login, with questionable benefits over practicing proper password management. Frankly, by the time one is entering a PIN code or equivalent and still considers this to be ‘password-free’, some serious questioning of one’s definitions should take place.

Personally, I have been using the fully open-source KeePass as my password manager on Windows for years now, which allows me to securely manage my passwords. The encrypted password database file is available on all of my devices and backed up in multiple locations. Any device that KeePass works on and with internet access also provides me with access to these passwords, while thieves have two strong passwords to brute-force before the device is remotely wiped. For me the benefit of Web Authentication is essentially zero, especially as I only have a single device that performs biometrics (my smartphone).

If the future of Web Authentication is anything like U2F, it will likely end up making a little bit of a splash for a number of years before being quietly retired. Yet who knows? This might become the one log-in method to rule them all. What are your thoughts on this technology? Would you retire your cool passwords for futuristic, biometrics-based access?