Passwordless logins using hardware keys
Instead of insecure passwords, password managers with passwords to access them, two-factor authentication through text message or app on your phone, and easily compromised services, we can now start using a simple, user-friendly physical USB key system.
Logging into your digital services like email, social media accounts, online backup services, corporate accounts, and cloud services is now possible without remembering or even using a password. This new technology is also more secure than your current password setup.
The passwordless technology uses a hardware security key. Hardware keys look like USB thumb drives. You insert them into the USB port of your computer to use.
All the above words were invented by the technology workers to describe a sophisticated digital authentication system using cryptography. As such, it sounds rather complex.
But, they all describe a new, easier, and more secure login process for online accounts.
This new process, we will call it FIDO2 in this article, is taking access and authentication to online services back to an old idea: a lock and key.
A key that is a physical device that attaches to the key chain you use for your front door keys.
FIDO2 is an open standard. It has been adopted by all the major digital services companies and over the next 5 years will be come the preferred method of accessing your accounts.
In this new system, you only need to have the key to gain access to a service and the lock is tailored just to your key.
Instead of insecure passwords, password managers with passwords to access them, two-factor authentication through text message or app on your phone, and easily compromised services, we have a simple user-friendly physical USB key system.
More importantly, Apple has adopted it and integrated it into their hardware meaning its widespread adoption will be guaranteed.
However, because FIDO2 is an open standard it is also available on more than just Apple devices and comes in a variety of forms from different vendors. As described in later articles, these forms have benefits rather than drawbacks compared to the Apple versions.
Getting a hardware key
You have several options as a consumer to take advantage of the FIDO2 technology. I am going to focus on one specific implementation: the hardware key. Specifically, these articles will demo a hardware key produced by Onlykey.
OnlyKey is open hardware and software. it also has some additional features not found on generic FIDO2 keys, but might be over-kill for many looking to use FIDO2 technology for passwordless login.
There are many other options, from "generic" versions you can go through your local store or online digital marketplace to get the latest YubiKey or NitroKey with FIDO2.
The hardware key operates as a physical device that holds a digital private key. Like a regular door key, the hardware key has a public facing "lock" (called a "public key") in the digital world. Each digital service has a public lock that only opens with your private key.
The system is designed so that even if you have all the public locks for that key, you still cannot open the locks or create the key. The math that backs the public-private key exchange that makes this system even more secure than most password setups.
Hardware keys look like USB thumb drives and you insert them into the USB port of your computer to use. The two versions from OnlyKey, which look similar to other USB hardware security keys:
The difference is that most of these USB keys do not store any data because their primary purpose is to store a single digital key in a near indestructible way.
FIDO2 keys require almost no setup. The system that they use to help you access services and applications on your computer, tablet, and mobile smart phones are already part of your operating system.
To add a hardware key login to an account, simply plug the hardware key, go to settings, click "add security key" under authentication options, and follow the (usually 3-step) instructions.
Once added, the next time you go to the login page of your account, and your hardware key is plugged-into your computer, your browser will detect the hardware key and log you in.
No password necessary.
Some services will be going even farther than this and not require even a username.
Just like entering your front door to your home, you only need your key to open the lock and get in.
Of course, this is a new technology and a new process so there are a few things that you will have to keep in mind and learn.
We will go through them in some detail in articles to follow including issues like:
Losing your keys—why a hardware security key might be better than using your (i)phone.
Backing-up your keys—don't lock your keys in your backup.
Time-based two factor authentication—you can use many FIDO2 keys for this too.
Passwords are still around and will probably never be completely replaced for all things.
Using a more sophisticated hardware key like the OnlyKey to cover all options from FIDO2 to two-factor authentication to password storage and backup.
Losing your keys
Apple is calling their hardware security key system "Passkey". It is integrated with their proprietary (read: evil) integrated authentication system including Apple's AutoFill and Face ID or Touch ID for biometric verification and synced across your (assumed multiple) Apple devices using iCloud Keychain.
This is fine if you want to give up all freedom and be beholden to the most expensive hardware around. But, for most working people this is not really an option. And, for once, it is not really the best option either.
It sounds great to have your mobile (i)phone as your hardware security key. You always have it with you (because, face it, you are a slave to your digital profiles), you are mostly glued to it 24 hours a day, and people are generally nasty about sharing their phone with others—making it rather secure.
The problem is when you drop your phone and it breaks. Most mobile phones are made with planned obsolescence in mind. They are made of glass, are leaky, and break in most any real life, rough circumstance.
The Apple—we own you because you rent our devices—solution does not really work well for this because if you break your phone you will not be able to access your accounts, unless you also have a bunch of other latest versions of Apple devices with you.
The alternative is to have a different and unique physical device that is your hardware security key. A device that really does one thing, does it well, and does not try to do much of anything else.
This alternative is the USB hardware security key. Most of these keys are waterproof, crush resistant, do not break when you drop them, and are small enough to discretely fit alongside your regular keys.
"But," you ask. "What if I lose my keys?" We have all been there. Here the USB hardware key is better too. You can create backups of your hardware key, copy it to another hardware key, and store that key in a safe place. The benefit here is that the USB hardware key do cost a tiny fraction of the cost of a new iPhone, so you can have lots of them without bankrupting yourself.
In addition, if something were to happen to you, you can leave instructions on how to use it along with a back-up in a safe place so someone who has access to that safe place can access your accounts. Something less likely to be able to happen with your iPhone that was on you when you got kidnapped by fascists at a protest and dropped out of a helicopter when you would not give up your comrades. Or, other more probable scenarios.
Backing-up your keys
Ever locked yourself out of your car or home because you locked the keys in the car or home?
Ever locked the cryptographic key that you need to access a backup inside the encrypted backup?
Locking your keys inside the place you locked is something that you need to think about with any key system. You can create backups of most FIDO2 private keys—the cryptographic key stored in the physical USB security key. Just make sure you do not also use that key to encrypt the place you store the backup of the key.
The best option for this is to have a second duplicate of your FIDO2 key, have a second key that you use for your backup, or keep your backup of your key on a device/piece of paper that you can secure.
The OnlyKey makes this rather simple. The entire key can be exported to a file that has its own password (ugh, another password!?). This file can be stored or even printed out (as a QR code) and stored somewhere safe. It is like a second set of keys you leave with your neighbour you trust (do these situations really exist?) or in a safety deposit box.
Other keys have similar solutions here, but the important thing is to just make sure you have a backup of your key or a second key that allows access to your backup that does not require the key you are backing up.
Just remember, do not lock your keys inside the house.
Time-based One-Time Password for Two-Factor Authentication (TOTP)
Time-based two-factor authentication is the original FIDO protocol. You would have used it if you used SMS second factor authentication where you get a text message with a code to access your account. Or, if you have used Google Authenticator or some other authentication application where you have to type a code after you type your password.
This authentication method does not have to work via a text message or authenticator app. You can use a FIDO (one?) key to do this. Most FIDO2 keys do this as well.
So again, even if you lose your phone, you can use your USB hardware security key to do two factor authentication.
There is nothing magical about most 6-digit pins that are sent you by random text message during login. They use TOTP/FIDO standards. As such, you can replace the text message thing with your key.
Most login systems will move away from TOTP/FIDO two factor authentication soon to using the much easier FIDO2 process. In the mean time, it is good to setup your key to do this for you and reduce the general hassle.
The OnlyKey can do this. It is more involved than just plugging the key in and using it to login for you. This more complex process is because you have to link the key to the account manually using the TOTP/FIDO process.
The more involved TOTP process is not difficult, but requires running the OnlyKey application and a 5-6 step process for adding the TOTP key process to your device.
Why do this? Because of all the reasons outlined above about using your phone plus the fact that SMS two-factor authentication is actually not very secure.
More about that process here:
As you have probably noticed, passwords are still a thing even in the "passwordless" world we are heading to.
The reality is, you need a type of "password" to get into lots of things. However, everywhere we can replace a password with a key we should. Then there should only be two or three passwords that we need to remember and it does not matter if they are that secure because you should need physical access to the file, key, and device to use the password.
Think a bank deposit box. You might have a key, but you still need to prove who you are to the bank, go to the bank, and physically use the key to open the box. Each level of security might be rather easily broken, but hard to actually execute in real life.
The passwords you will have to remember include:
pin for accessing your OnlyKey/USB hardware security key
password for your backup file of your USB hardware security key
You may also have additional passwords for your services that have not moved over to FIDO2. However, a USB hardware security key can actually store the password/access to your password manager. FIDO2 works with most password manager systems for access.
So, really, you should not need any more passwords than the above for your digital life after you move to FIDO2.
OnlyKey: additional security things
The OnlyKey does other cryptographic things than most FIDO2 devices.
multiple PGP keys
It does two factor authentication/TOTP.
It has a random number generator and has applications that execute different authentications for Github/Gitlab code signing, file encryption, PGP/GnuPG key exchange for the Password Store application. And, some other even more esoteric cryptographic things.
If you do not know what any of these things are, don't worry about it. You do not need to use these to enjoy using the OnlyKey as a FIDO2 key.
The most useful thing in the list of extras it does TOTP and username/password manager. This allows you to use the key to access and automatically log you into services that have do not use FIDO2 yet with a touch of a button.
For a instructions of how this works, see their website and videos.