The introduction today of passwordless authentication support in Nextcloud Hub is a big step forward for organizations that want to reduce or even eliminate the use of passwords. In addition to Windows Hello, Nextcloud Hub is the 2nd popular service (we are aware of) supporting passwordless logins. What does that look like, a password-less world with WebAuthn and Nitrokeys? Read on!
What's wrong with passwords?
Let's first, quickly, revisit the problem with passwords. XKCD's take on password strength is probably overly familiar by now, but it still sums up what is wrong with many passwords. Passwords don't scale with the large amount of accounts everybody possesses nowadays. Therefore passwords need to be "enhanced" by the usage of password managers and second factor authentication methods. But those can be complicated to use and therefore lack acceptance. How to do better?
Step 1: The key to success
To create a password-less world, a different way of authentication has to be set up. This is where FIDO2, the authentication used by the W3C standard for WebAuthentication/WebAuthn, comes in. You can immediately forget these fancy words. What it means is that instead of a password, you get a USB key (or other method) such as the Nitrokey FIDO2. When you need to authenticate, you plug in the Nitrokey, enter your device PIN, and you're set to go.
That probably sounds easy enough for your desktop at the office. But what about your phone or laptop? Do you have to carry that Nitrokey around all the time? Not really.
Step 2: Additional authentication method
Mobile phones and operating systems are becoming FIDO2 compatible, which means they can authenticate using their usual methods - a fingerprint, your face or a built-in TPM for example. You have to configure this once in your application, logging in with your Nitrokey attached. After that you simply scan your fingerprint or let Face ID do its thing.
For Windows Hello on your laptop, the same is true. Log in once with your Nitrokey, then configure Windows Hello for future password handling. Next time, your face does the trick and logs you in to your desktop or Nextcloud!
That's all there is to it. Once the initial Nitrokey FIDO2 is configured, you live in a brave new world without passwords!
How does this really work?
How does WebAuthn eliminate passwords? When a password has to be entered, the server asks the browser for authentication. The browser passes this request on to the configured Nitrokey FIDO2. the Nitrokey FIDO2 holds a cryptographic key which never leaves the device. After successful authentication via device PIN, a cryptographically signed response is transmitted back via the browser to the server which verifies this and the login is complete.
Is it two-factor authentication?
Is WebAuthn/FIDO2 the same as two-factor authentication? Yes and no. It can be used as a second factor, providing proof that the user has a hardware key or their fingerprint is what was expected. But by itself, a FIDO2 device can provide two factors already. The server asking for authentication can request verification of multiple factors, so that a configured key requires the user to not just plug it in but also enter a PIN or scan a finger print. This way, WebAuthn itself is a two-factor authentication scheme already and thus not only easy, but also highly secure. The PIN is specific per USB key and therefore doesn't need to be different for each website. Also it doesn't need to be long and complex but a six-digit PIN is sufficiently secure.
Update: Nextcloud Hub 19 queries the device PIN, but does not verify it and therefore does not yet implement two-factor authentication.
Why to use a FIDO2 USB key?
Compared to TPM, which is bound to an individual computer, USB FIDO2 keys (e.g. Nitrokey FIDO2) have the following advantages:
- Not all computers contain a TPM which can be used as a FIDO2 device (e.g. Linux).
- One USB FIDO2 key can be used with multiple computers. Users don't need to configure each computer and don't need to remember a different PIN for each computer.
- In corporate use cases, some users may not use a corporate computer (e.g. freelancer, home office). In such case the company can still provide users a FIDO2 USB key to securely login to their services.
What if your Nitrokey FIDO2 is lost?
Services which support passwordless login require you to configure at least one other authentication method. This can be a 2nd Nitrokey FIDO2, a phone number or other methods. Those act as a fallback-method in case your Nitrokey FIDO2 is lost.