Safe without a Password?

What is a secure password? The surprising answer: No password. In fact, passwordless authentication has been discussed for some time now. FIDO2 could become the de facto standard in a few years. This would undoubtedly benefit IT security, as the many passwords users utilize today pose a high risk for companies, not to mention the massive effort required to manage all those passwords.

Passwords are the most commonly used method for authenticating applications. However, passwords and poor handling of them are also the main causes of successful hacking attacks. This is partly because they are often not secure enough and partly because many people use the same passwords for multiple online accounts. A study by KnowBe4 Research showed that 76 percent of employees reuse their passwords. Accordingly, passwords represent a significant risk for IT security.

Moreover, managing passwords presents a significant challenge for companies. Many organizations have thousands of accounts and passwords to manage. For users themselves, dealing with hundreds of passwords daily is a burden. They experience stress when they forget their passwords. Last but not least, IT support also has to invest a lot of work into the issue of passwords: up to 40% of helpdesk calls are related to password resets. Given all the problems that passwords create, it is not surprising that passwordless solutions are more than desired and are even longed for by many. This also applies to IT security professionals, as passwordless authentication enhances security by virtually eliminating the risk of sharing, reusing, or falling victim to phishing attempts.

How the FIDO Alliance Aims to Make the World "Password-Free"

The FIDO Alliance (FIDO = Fast Identity Online), a coalition of global companies, is dedicated to improving online security through the use of passwordless authentication methods. The Alliance aims to establish passwordless authentication worldwide. It provides companies and developers with a range of tools and resources to make their websites and applications more secure. By establishing passwordless authentication as a standard, the FIDO Alliance can help reduce the risk of data breaches and strengthen trust in the internet as a secure environment.

Since the Alliance was founded in 2013, more than 250 organizations have joined, including tech giants like Google, Microsoft, and Intel. The members of the Alliance have developed three core technologies that are now known as "FIDO2." These technologies are:

• WebAuthn: An open standard developed by W3C and supported by all major browsers. WebAuthn allows users to manage their credentials for online services using biometric features or hardware-based keys.

• CTAP: The Client-to-Authenticator Protocol standard allows devices to communicate with authentication devices to verify possession of a private key.

• UAF: The Universal Authentication Framework technology enables users to use their biometric features for authentication.

The passwordless, biometric authentication method FIDO2 protects data very effectively, as it is very difficult to replicate biometric features. FIDO2 is also very user-friendly and easy to use. Users do not have to remember long and complicated passwords and can simply log in using their biometrics. Additionally, the fact that FIDO2 is open source is a significant advantage, as it allows security researchers to continuously develop and improve the technology, thereby enhancing security even further.

FIDO and Zero Trust

FIDO is also an essential component of Zero Trust security. Zero Trust is a concept aimed at granting all network users the same access to resources, regardless of their location. This concept assumes that no user is trustworthy and that all network activities must be verified. FIDO provides strong authentication that allows network users to securely confirm their identity. By using Public Key Infrastructure (PKI) and biometric features, FIDO can ensure that only authorized users can access resources. Furthermore, FIDO offers a high degree of flexibility, as it is compatible with both traditional and novel authentication methods. Accordingly, FIDO is an ideal solution for companies looking for a way to implement their Zero Trust initiative. By combining strong authentication with high flexibility, FIDO can ensure that only authorized users can access resources.

When Will the Future Be Passwordless?

In fact, the future has already begun. Microsoft, Apple, and Google are already using this technology. While it is not yet entirely password-free, passwordless authentication is not only a forward-looking technology but also offers a range of advantages over the traditional password model. For one, using biometric features like fingerprints or facial recognition is significantly more secure than the password model, as it is much more difficult to steal or forge these types of information. Additionally, the passwordless authentication option is generally much easier and more intuitive to use, which greatly improves acceptance and usage. Nevertheless, traditional passwords will not completely disappear in the foreseeable future. However, more and more companies are planning to implement passwordless authentication. In just a few years, FIDO2 could become established.