Thanks to the FIDO2 standard, it is possible to log in securely to various online services without a password. Microsoft and Google, among others, already offer options for this. This year there will probably be more organizations that offer this.
You then need a physical key to log in, for example the YubiKey . A FIDO2 key is also known as a token, authenticator or security key. That can be a small piece of hardware that looks like a USB stick and you connect it this way too. There is also hardware with a Bluetooth or NFC transmitter, which can be as small as a euro coin.
But your own laptop or smartphone can also be the authenticator. This is possible if your device has a suitable chip that can serve as cryptographic hardware and the FIDO authenticator is implemented as software. This works in Windows 10 since version 1903, Android since version 7, and iOS since 13.3.
You have been able to do this for almost a year with Windows Hello, where previously you could only log in with a biometric way to the operating system and the Microsoft account (and thus services like the web version of Outlook). For that you first needed a certified camera or fingerprint sensor, but since 1903 it is also possible with a FIDO2 key if you choose this setting with Microsoft’s online services.
With Google services you can use FIDO2 on the smartphone from Android 7 (Nougat). Together with Google Chrome or another suitable app, it is possible to log in without a password, but by confirming with your fingerprint. You can test this with your smartphone via the webauthn.io site . Since August 2019, you can also log in to your Google account with this method.
Apple has been FIDO-compliant since the recent iOS 13.3 and the browser Safari now supports login processes with such a physical key. You could already log in to your iCloud in a beta version this way.
In addition, there are many services that offer FIDO2 as a second factor. After you log in with your password, you must then use the key – it is not a passwordless login method. This is a much stronger security and for that reason more and more services are offering it. 2FA is thus becoming a standard method and working with FIDO is safer and more convenient than, for example, 2FA via SMS.
The advantage is that you greatly increase your personal online security with FIDO compared to using a password. The disadvantage is that you always have to have your security key with you if you want to log in somewhere. For that reason, FIDO2 with the smartphone as a hardware key is very easy, because many users have it with them.
How that login works depends on the WebAuthn implementation of the service you want to login to. You usually click your FIDO2 key into a USB port and then press a button to confirm login. In addition, a pin code, password or biometric data may be required. If you use a fingerprint or other biometric function, this data will be stored on the device.
You cannot make a reserve copy of your key, because copyability defeats security and the standard excludes this. That is why it is important to have an alternative login method. If you don’t want to use your smartphone for this, you can purchase a key from a manufacturer like Nitrokey UG , Solokeys or YubiKey . They cost about 25 euros. Make sure the key is certified for FIDO2 or at least works with it. You may find offers of cheap keys, but they often work with standard version 1.2.