Executive Summary
- Fed up with forgetting passwords and concerned about the rise of cyberthreats? FIDO2 and YubiKeys offer a simple, secure, and frankly rather brilliant way to ditch passwords altogether.
- Our guide explains how these passwordless technologies work, why they can make a huge difference for small businesses in the UK, and how they can seriously boost your cybersecurity.
- Get ready to say goodbye to sticky notes and say hello to a safer, more productive way of working with FIDO2 and YubiKeys.
Introduction
Did you know that the first digital password ever used dates back to 1961?
Demonstrated by Professor Fernando Corbató on the MIT Compatible Time-Sharing System (CTSS), we mention this merely as a reminder that humanity has relied on passwords for over 60 years.
It’s a bit like using a horse and cart on the M25: charmingly retro, perhaps, but hardly the most efficient or secure way to travel. We’ve all been there: forgetting them, resetting them, writing them down on a sticky note (and swearing to never do it again). But with cyberthreats on the rise pretty much everywhere, relying on passwords alone is like locking your front door with a paperclip. Not exactly Fort Knox, is it?
The truth is-and this isn’t the first time we’ve said this-passwords are weak. They’re easily guessed, stolen in phishing attacks, or cracked through brute-force methods. And for UK organisations, the consequences of a data breach can be hard to come back from.
That’s where FIDO2 and YubiKeys come in.
Here’s what you need to know about these passwordless technologies.
What is FIDO2?
In a nutshell, FIDO2 (Fast Identity Online) is a set of open standards that enable passwordless authentication and login.
The main goal of FIDO2 is to move from knowledge-based authentication to possession-based authentication. To achieve this, FIDO2 delivers a digital “handshake” that verifies a user’s identity without the need for a typed password. Microsoft 365 passkeys are great example of FIDO2 in action.
So, instead of just relying on something you know, i.e. a password, FIDO2 instead ask users to provide:
- Something you have, like a physical security key such as a YubiKey (which we’ll get to shortly).
- Something you are, like a fingerprint or facial recognition on your device.
This multi-factor approach makes it incredibly difficult for cybercriminals to gain access to a user’s accounts.
And here’s the clever bit: FIDO2 uses public key cryptography, which is a long way of saying that it securely encrypts data. This means that your sensitive authentication information is never stored on a (potentially accessible) server, making it virtually immune to large-scale data breaches.
Types of FIDO2 authenticators
At the heart of the FIDO2 concept is the idea of possession-based authentication, which relies on having a physical key of some sort.
Right now, there are two different types of authenticator available to use with the FIDO2 specification:
- Platform authenticators: These are built into your device, such as the fingerprint reader on your laptop or the Face ID on your iPhone. They’re convenient because you don’t need to carry around an extra device-but they’re also less secure than roaming authenticators.
- Roaming authenticators: These are physical devices, a bit like USB sticks, that you can use to authenticate yourself on pretty much any device. They’re more secure than platform authenticators because they aren’t tied to a specific device.
So… what’s a YubiKey?
Despite the unusual name, the YubiKey is actually a great example of a roaming authenticator. It’s a small, USB-based hardware security key that essentially acts as a password but in physical form.
The behind-the-scenes mechanics of the YubiKey are very similar to passkeys, with a private key stored on the YubiKey which is verified with a public key on a website when logging in.
Using a YubiKey is also very straightforward. When you log in to a website or application that supports FIDO2, you simply plug in your YubiKey via USB, then physically tap the key with a finger. This confirms that you’re physically present and authorized to access the account. There are no passwords to remember, no complicated codes to type in-it’s just touch and go.
YubiKeys come in various shapes and sizes, including USB-A, USB-C, and even near-field communication (NFC) models for mobile devices. This means there’s a YubiKey to suit almost any device you use, from laptops and desktops to smartphones and tablets.
Why does passwordless matter for organisations?
So, it’s clear that passwordless tech works well and is already available-but why should your UK businesses like yours ditch the passwords and embrace FIDO2 and YubiKeys?
Outside of the stuff we’ve already covered, here are a few other reasons:
- Better cybersecurity: FIDO2 is incredibly resistant to phishing, man-in-the-middle attacks, and other common cyber threats. This means your business data is much safer.
- A more productive team: No more time wasted resetting forgotten passwords. Employees can log in quickly and securely, getting on with the important stuff.
- Improved IT costs: Fewer password-related support tickets mean less time and money spent on IT troubleshooting.
- Streamlined compliance: Using strong authentication can help your business meet various security standards and regulations, like the NCSC’s Cyber Essentials.
Ready to go passwordless? We can help
Implementing FIDO2 and YubiKeys might sound daunting, but it doesn’t have to be. Get Support can help you every step of the way, from choosing the right YubiKeys for your business to setting them up and providing ongoing support. We can help you integrate FIDO2 with your existing systems and provide training for your staff to ensure a smooth transition to a passwordless world.
To learn more about going passwordless with your business, just ask your Get Support Customer Success Manager, or call us on 01865 594000.
