Thanks to the FIDO2 standard, it is possible to safely log in to various online services without a password. Microsoft and Google, among others, already offer options for this. This year there will probably be more organizations offering this.
FIDO2 is a registration method to register and log in to online services. Fido, Fast IDentity Online, is intended as a replacement for logging in with a password: you log in with a username and a physical FIDO key. That is why this is often used as a second factor in addition to the password.
For this login method to work, the service must first support this procedure. The standard is managed by the FIDO Alliance and has important sector partners such as the W3C, Intel, GSMA, Amazon, VMware, Samsung, PayPal, Microsoft, Okta, LG, standards institute NIST and many others. The support of FIDO2 is therefore quite broad. Large web services such as Gmail, Facebook, Dropbox and Outlook support FIDO. You may know a core part of the project as WebAuthn.
You will then need a physical key to log in, for example the YubiKey. A FIDO2 key is also known as a token, auto indicator or security key. That can be a small piece of hardware that looks like a USB stick and in this way you connect it too. There is also hardware with a Bluetooth or NFC transmitter, which can be as small as a euro coin.
But your own laptop or smartphone can also be the authenticator. This is possible if your device has a suitable chip that can serve as cryptographic hardware and the FIDO authenticator is then implemented as software. This works in Windows 10 since version 1903, Android since version 7 and with iOS since 13.3.
You can do this for almost a year with Windows Hello, where previously you could only log in with a biometric way to the operating system and the Microsoft account (and with that services such as the web version of Outlook). For that you first needed a certified camera or fingerprint sensor, but since 1903 it has also been possible with a FIDO2 key if you choose this setting at Microsoft’s online services.
With Google services you can use FIDO2 on the smartphone from Android 7 (Nougat). Together with Google Chrome or another suitable app, it is possible to log in without a password, but by confirming with your fingerprint. You can test this with your smartphone via the webauthn.io site. You can also log in to your Google account with this method since August 2019.
Apple has been FIDO-compliant since the recent iOS 13.3 and the Safari browser now supports login processes with such a physical key. You could already log into a beta version in this way on your iCloud.
In addition, there are many services that offer FIDO2 as a second factor. After you log in with your password you must use the key – it is not a password-free login method. This is a much stronger security and for that reason more and more services are offering it. 2FA is thus becoming a standard method and working with FIDO is safer and more convenient than for example 2FA via SMS.
The advantage is that you greatly increase your personal online security with FIDO compared to using a password. The disadvantage is that you must always have your security key in your pocket if you want to log in somewhere. For that reason, FIDO2 with the smartphone as a hardware key is very easy, because many users carry it.
How that logging in works depends on the WebAuthn implementation of the service to which you want to log in. You usually click your FIDO2 key in a usb port and then press a button to confirm login. In addition, a pin code, password or biometric data may be required. If you use a fingerprint or other biometric function, this data will be saved on the device.
You cannot make a backup copy of your key, because copyability defeats security and the standard therefore excludes this. That is why it is important to have an alternative login method. If you do not want to use your smartphone for this, you can purchase a key from a manufacturer such as Nitrokey UG, Solokeys or YubiKey. They cost around 25 euros. Make sure that the key is FIDO2 certified or at least works with it. You may find offers of cheap keys, but they often work with standard version 1.2.