Secure login without password – now with Windows Hello.
Conventional security keys already enable device-based user logon, which means that they increase overall security with the help of the second authentication factor and make it dynamic (the second factor is recalculated or derived for each logon process). However, the regular authentication by means of username and password as the first factor remains unaffected or should we say unprotected. An attacker targeting the user, or his computer must therefore additionally steal the USB-connected security key or break the procedure for deriving the second-factor.
There is however a simpler way – especially since the actual cryptographic procedures behind the dynamic derivation of the second-factor is solid and cannot be compromised directly. The attack technique that can be implemented with less effort is known as "phishing". Here, the attacker concentrates on deceiving the user or his computer to the effect that he pretends to be the legitimate website of the respective service in form and appearance, such as online banking for instance. As soon as the user lands on such a fake site without prior inspection on his part another trap awaits him: the login process also proceeds as usual as he is prompted to enter the username, password and even the second factor. In fact, the fake website simply contacts the original service in parallel and obtains a fresh copy of the login screen there to present it to the user. As soon as the user supplies his credentials in good faith including the second factor, the attack has worked: he is simply cut off from the communication and the authenticated session data is redirected to the attacker – the latter thus literally takes over the session and therefore the user’s account without limits.
FIDO - particularly user-friendly
Besides this security aspect, two-factor authentication (2FA) still does not seem user-friendly enough to us, although it is a step in the right direction.
With the latest FIDO2 specification WebAuthn and CTAP paired with the biometric fingerprint, TrustKey Solutions' G-Series stands out noticeably from the competition. Not only do these products achieve the significantly higher security level 2 in hardware alone by being immune to keyloggers, viruses, Trojans, or other PC malware due to their isolated environment from the computer. They also enable secure logon without any password at all ("true password less experience") and thus without any user interaction – except for fingerprint unlocking.
This login variant is now supported by many online services such as PayPal, GitHub, Office 365 as well as the Windows 10 user login (Windows Hello).
TrustKey Solutions Inc. uses in all of its USB-attached FIDO2 security keys the hardened microcontroller MS500 of the parent company eWBM Co. Ltd.
This microcontroller (MCU) has a self-encrypting memory, a "secure boot" mechanism to ensure the authenticity and integrity of its firmware and implements all essential crypto schemes directly in the hardware.
Due to the ROE (Restricted Operational Environment) concept of FIDO authentication devices, personal data such as fingerprints and login certificates (which are used for the actual passwordless login) never leave the secure internal memory. Additional mechanisms, which give the TrustKey products the highest FIDO certification level known to date (L2), also secure the internal memory
and protect the firmware against manipulation. The device thus "only" conducts a proof of identity towards the Relying Party (RP) in a confidential, resilient, and password-free manner, such that the user only needs to authorize this process through his fingerprint. This virtually eradicates the weakest link – the human factor – from the proverbial chain, rendering even phishing unfeasible.
Authentication devices cannot be fooled easily as they always establish an end-to-end secured connection to the respective service, so that nothing and no one can get in their way. This subtle ye critical fact combined with the elimination of passwords and human interaction (apart from the fingerprint authorisation) makes this technology uncompromisingly attractive from every point of view.
Our FIDO product range
TrustKey's product range comprises the G-series with biometric fingerprint sensor – the models G310 (USB-A) and G320 (USB-C) – as well as the T-Series without fingerprint (simple touch-sensitive -sensor) – the models T110 (USB-A) and T120 (USB-C). All devices asupport the FIDO1 two-factor authentication specification U2F (Universal Second Factor), (T)OTP generator (Time-Based One-Time-Password, up to 50 credentials records for different Relying Parties as well as WebAuthn (FIDO2).
This feature set will be soon complemented (early 2021) by the virtual smartcard function – including the support for PGP-based e-mail encryption and digital signatures.
Incidentally, it will als be possible to apply PGP encryption and signing to files while utilizing the FIDO devices as secure cryptographic key containers.
The T-series has been designed as a low-cost entry-level authentication device without a biometric sensor and is instead equipped with a simple touch sensor. Therefore, a PIN must be set by the user which is then always required to confirm authentication during the-login process. The range of functions is otherwise identical, and all models are of course supported by Windows, Linux and MacOS.
New! The Windows Hello function
New and reserved for the G310H (USB A) and G320H (USB C) models is the Windows Hello support which enables direct user logon to the Windows 10 operating system. Windows recognizes the user via fingerprint and grants access to the user account or computer without any further interaction.
We will show you how simple and functional this application is on our YouTube Channel.