The Future of Login is Here
FIDO2 Passwordless Login
4/24/20232 min read
The Future of Login is Here: FIDO2 Passwordless Login
We've been relying on antiquated methods to secure our online accounts for far too long. Passwords are easily guessed, phished, or forgotten. 2FA was introduced to provide an additional layer of security for your passwords.
On the plus side, 2FA makes it much harder for bad actors to access your online accounts. Even if they somehow manage to steal your username and password, they won't be able to log in unless they also have your phone or have access to whatever other factor you're using for 2FA.
On the other hand, 2FA can be a bit of a hassle. If you lose your phone or don't have access to it for some reason, you may not be able to log into your account. Additionally, if you're using an app like Google Authenticator for 2FA and accidentally delete it, you could also be locked out of your account until you can get ahold of customer support.
It's time for a change. The FIDO Alliance has developed the FIDO2 standard for passwordless login.
What is FIDO2?
FIDO2 is an authentication standard that allows users to log in to their online accounts using a secure hardware device, such as a USB key or NFC-enabled smartphone, instead of a password. This makes account login more secure and more convenient for users since they no longer have to remember and enter a long and complex password.
How does it work?
When users attempt to log in to an online account protected by FIDO2, they will be prompted to insert their security key or tap their NFC-enabled device on the reader. The key will then communicate with the website's server to authenticate the user and grant them access to their account.
FIDO2 also supports multi-factor authentication, meaning that even if a hacker manages to steal your security key, they still won't be able to log in to your account unless they also have your biometrics (e.g., fingerprint, iris scan).
Passwordless authentication using FIDO2 offers a more secure way to log in because it doesn't rely on a password that can be guessed or stolen. Instead of a password, FIDO2 uses public key cryptography to authenticate users. Users will be prompted to insert their FIDO2 device when they try to log in. The device will then generate a public/private key pair and sign the challenge with the private key. The server will verify the signature using the public key, and the user will be logged in if it's valid. Even if a hacker gets your username and password, they won't be able to log in unless they also have your FIDO2 device.
To use FIDO2 for passwordless authentication in Azure AD, an administrator must first enable the feature in the Azure portal. Follow these instructions to set that up - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key