BERLIN: It’s impossible to remember all the passwords needed for different internet services. That’s where a password manager comes in useful but that too needs a password. And no matter how good a password is, it can always be stolen.

Logging in using two steps (two-factor authentication/2FA), in which a second factor, such as an app-generated code, is checked in addition to the password increases security, but does not make logging in any less complicated.

No more passwords?

There is a solution to these problems, which is simply to make the password itself superfluous. It’s called Fido (Fast Identity Online) and it encompasses several IT security standards.

The latest version, Fido 2, is intended to enable secure, password-free logins to online services, thereby making passwords obsolete. Apple, Google and Microsoft are among those hoping to usher in a password-free world using this system.

It works like this: Anyone who wants to log in using Fido 2 must first register a device such as a smartphone, tablet or computer with the respective service.

During registration, two cryptographic strings are generated that together form a pair, the public and the private key. The service receives the public key, while the private key is stored on the device, which then becomes an authenticator.

If you now want to log in, the device creates a digital signature using the private key. The service can then check the authenticity of this signature using the public key.

In principle, this works like a hand-written signature on paper, explains Professor Markus Dürmuth from the Institute for IT Security at Leibniz University Hannover in Germany. “Only I know how I write my signature – and anyone can check it with a comparison,” he says.

But the Fido 2 process is more secure because the private key resides only with the user and because the signature contains a time stamp so that even if attackers manage to intercept the signature, they can’t use it later.

Special chip stores the key

The private key, also known as the secret, is secure on authenticator devices where it’s stored in a so-called Trusted Platform Module (TPM).

”These are hardware chips that are designed in such a way that they have no output for the secret,” says IT security specialist Jan Mahn.

The private key is calculated once in the device and then stored there. When logging in, only the signature leaves the device, not the private key itself, Mahn says.

A TPM with crypto chips is found in most smartphones today, as well as in newer PCs and notebooks. Microsoft has also made having a TPM a prerequisite for the installation of Windows 11.

Those who have an older computer or smartphone without a TPM can also store the private key on sticks that are connected using USB to a computer or NFC to a smartphone.

These sticks with built-in crypto chips are also called tokens and can not only replace the password in Fido 2, but can also, depending on the service, act as a second factor. This is because 2FA is also part of the Fido standards.

But what if you lose the smartphone on which the private key is stored? “The official recommendation with Fido 2 is to register two devices,” Dürmuth says.

The second device does not necessarily have to be a smartphone or a computer – a securely stored USB token also makes a good backup.

Keys in the cloud

A relatively new idea for solving the problem of lost keys and for even greater user-friendliness is to synchronise the private key in the cloud.

It can be stored on internet servers, but can also be synchronised over the network on any number of devices. This is how Apple, for example, is proceeding with its Fido 2 implementation.

In May this year Apple, Google and Microsoft jointly declared their intention to add further functions to Fido 2 by 2023. Users will be able to access their credentials automatically on various devices without having to log in again for each account.

With most Android, iOS, and macOS devices, but also under Windows, it is now very easy to use Fido 2 with existing hardware, says Jan Mahn. He advises using Fido 2 wherever possible, either as a password replacement or a second factor. – dpa