Is the FIDO identity secure?

Is the FIDO identity secure?

For years, the online authentication, which does not require a password, has been controversial. Not without reason, because passwords are the gateway for hackers. The license-free industry standard FIDO, which advertises higher security thanks to two-factor or multifactor authentication, is intended to provide a remedy. But is the FIDO identity really secure?

Passwords: Achilles heel of internet communication

Passwords are the Achilles heel of internet communication. It is not only through so-called phishing that passwords repeatedly come into the possession of hackers. The combinations of numbers and letters can be guessed, read, intercepted or decrypted by trial and error. Password theft causes damage in the billions every year.

The daily handling of passwords is also a burden for users. Since passwords are needed several times a day, many Internet users forego the necessary minimum security requirements and choose simple number combinations such as their own date of birth, their home street name or other easy-to-crack number or letter combinations. The FIDO and FIDO2 standards are now intended to pave the way to a password-free future.

FIDO: What’s behind it

The abbreviation FIDO stands for Fast Identity Online. This is an industry standard that enables fast and secure authentication on the Internet. FIDO recently gave rise to the new FIDO2 standard. The standard was developed by the so-called FIDO Alliance, which now includes hundreds of companies from all continents. These include industry giants such as Google, Intel, Samsung, Microsoft and Bank of America.

Security components of the standard

The main advantage of the FIDO identity is the elimination of error-prone passwords. In addition, the encrypted credentials are unique for each website and are not stored on an external server. They always remain on the user's device. In practice, the use of FIDO looks like this: Users register and choose a combination of factors as their authentication method. These factors can be, for example, a sentence spoken into the microphone, a glance at the camera, a fingerprint or a PIN. This depends on which technology is available on the end device (smartphone, PC, tablet).

How secure is FIDO?

Technically, the industry standard FIDO has all the prerequisites to ensure secure communication on the Internet. However, the services themselves pose a security risk for two- or multifactor authentication. If a simple message to a company's support is enough to disable two-factor authentication for access, even technically complex encryption procedures and sophisticated authentication methods are of no use.

The FIDO identity of a user is stored on a so-called security chip, which is already installed in the newer models of smartphones, laptops and tablet PCs. This security chip stores the private key, which cannot be exported because the chip performs all cryptographic calculations. This chip can have vulnerabilities that hackers use to pry out the security system.

The fact that the frequently used "Forgot Password" function is no longer used can also prove to be a disadvantage for users. For this reason, end users should create multiple accesses so as not to lock themselves out. In this way, users with another registered FIDO chip have access to the account if the first one no longer works or has been lost.

Conclusion: For security reasons, it makes sense to replace the password-protected login with FIDO’s two-factor authentication. However, one should also know the weaknesses of the standard.