We have been hearing for a long time about how passwords are fundamentally flawed, and at some point in the future we will do away with passwords in favour of more secure methods of authenticating with our online services. To most of us this will seem quite fanciful, the password is simply ubiquitous, how would it even work?

The truth is that the technology is already here, and you may be able to start using it today. Lets take a look at the standards, technology, user experience and of course, the problems.

The Experience

You’ve probably felt along this journey that all of the steps we have taken so far, have only made the process of signing into your online services more of a task. You’ve got to make sure youve got the password manager signed into and open, along with the app on your phone for the two factor codes. That short and simple password wasnt secure, but it was easy. At this point you could be forgiven for thinking that convenience and security are opposite sides of the same scale and more of one means less than the other.

However there is a new and better way. The FIDO2 standards make for a simpler, but much more secure authentication method than anything that as been widely adopted before. If you’ve got a Windows 10 or 11 machine with Windows Hello supported, you already have everything you need to get started. You can also get hardware authenticators like a Yubikey or Google’s Titan Authenticator that you can use across multiple devices. It should make the process all very simple, enter your username, choose the security key option, plug in the key and press the button on it. Sadly, this is not always the case at the moment.

How does it work?

As users, or even as system administrators looking to ensure the service we administer are as secure as possible, we don’t typically have to worry about the specifics of the standards and how exactly something works under the hood. With the set of standards that are becoming the way we will use security keys for online services that is very much a good thing. Its very easy to get confused about them. Today, if you are looking at buying a security key to use, you will want to be looking for a FIDO2 certified key, although you can use Windows Hello on your PC as well. It looks likely in the future that more devices will be supported and this functionality will be built into our phones and perhaps smartwatches, much like contactless payments have been.

There are three main devleopments in how the standard works, and they loosly represent the ways in which security

1. The first standard was “Universal 2nd Factor” or U2F. This allowed for a security key to replace the likes of the TOTP second factors alongside passwords.

2. Later there was the “Universal Authentication Framework” or UAF. This expanded to work with mobile devices specifically, and was the first time a true passwordless multi-factor approach worked within the FIDO standards.

3. FIDO2 expands on both of these, and also introduces a Web standard (WebAuthn) that has been implemented in the major web browsers and platforms. This stage of the stanards allows for an authentication method that even removes the username from the equation for the user. All aspects of the login process can be handled by the security key securely.

As a result there are three login methods:

1. Username -> Password -> Security Key

2. Username -> Security Key with PIN

3. Security Key with PIN

Which of these options are available to you will depend largely on the service you are using, and the authentication methods they are working with. This is also one of the key challenges so far: adoption. If you have recently been setting up 2FA on your services you have probably found it quite frustrating that many don’t even support that. Even with accounts you would like to treat with more care. Banks have long since gone their own way and none that I use will even support TOTP methods, let alone more forward looking methods like this. The financial institution I have my ISA savings account with does not even support 2FA at all for its UK customers, while customers in the USA can use FIDO2 authenticators with their account.

FIDO2 promises not just a more secure authentication method, but a simpler one too. In the future our laptops and phones will establish a secure trust with the services we use, and us users will provide a PIN, fingerprint or our face, much like we do to unlock our phones today. Not all the pieces are quite in place yet, but as services begin to adopt these standards it will only get better.

Should you get started today? I wouldnt want to discourage anyone, but I feel that today the benefits are quite limted. Especially with the small investment a hardware key requires. However I would encourage you to add Windows Hello as an authentication method to your important accounts if you can, alongside TOTP. It’s simply easier than finding your phone to type that code in.

Lastly, this is all quite new to me, so thank you for getting this far. While my previous two blog posts on online security I am reasonably confident in my knowledge, this is somewhere I am less so. I’ve dived in head first, bought a couple of Yubikey devices and set them up everywhere I can. But I’m still in the early phases myself. If you are more experienced or believe I am wrong on anything here please get in touch, as I’d love to learn more and be able to provide better information to readers too.

Further Reading

An In-depth Guide to FIDO Protocols from Strongkey

FIDO2 Authentication Standards by Yubikey

What is FIDO2 and how does it work? from Hideez