Password-free authentication – FIDO2 and WebAuthn

Lost Token?

One inherent problem is the loss of a token, which raises the question of what recovery functions are offered by the online store. Even before WebAuthn, crypto guru Bruce Schneier warned [21] that any service that implements security questions (e.g., asking for the mother's maiden name to reset the password) can also dispense with password rules.

With WebAuthn, only a new account – creating a new credential with a new token – seems to be the solution. How the operators put this into practice will probably only be shown by implementations on bank and credit card sites, which is where you separate the chaff from the wheat today (e.g., with requirements for passwords or online banking procedures).

Compared with the long-known vulnerabilities of the popular mobile transaction authentication number (mTAN) method [22], however, FIDO2 is a great achievement with a huge amount of potential. The new standard is also unlikely to remove completely the need for web users to use passwords, TANs, and cryptographic keys.


  1. Fido the dog:
  2. Abraham Lincoln's dog:
  3. FIDO Alliance:
  4. Fidonet:
  5. FIDO Alliance members:
  6. Yubico:
  7. EMVCo:
  8. W3C WebAuthn standards:
  9. Vision of the FIDO Alliance:
  10. Firefox and WebAuthn:
  11. Chrome, Edge, and WebAuthn:
  12. Instructions for Mozilla and WebAuthn:
  13. FIDO Alliance developer resources:
  14. Google's developer resources for FIDO:
  15. Yubico Python script:
  16. Report from the RSA conference:
  17. YubiAuth LDAP setup:
  18. CTAP with LDAP:
  19. FIDO2 server:
  20. StrongKey appliance:
  21. "The Curse of the Secret Question" by Bruce Schneier:
  22. mTAN:

The Author

Markus Feilner has worked with Linux since 1994 as an author, trainer, consultant, and journalist. Today he heads the documentation team at Linux Distributor SUSE in Nuremberg, Germany.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • FIDO Alliance Formed to “Revolutionize” Online Authentication

    Forget passwords – several Internet companies have formed the FIDO (Fast IDentity Online) Alliance, which they say will replace passwords with safer and easier to use authentication methods.

  • Industry Giants Announce a Fix for the Password Mess

    FIDO alliance declares the beginning of the end for old-style login authentication.

  • OpenSSH Now Supports FIDO/U2F Security Keys

    SSH users can now add FIDO/U2F to the list of supported multi-factor authentication tools.

  • Linux News

    Jailbreak Spat

    • White House goes on record in support of freedom to jailbreak cell phones
    • News Bites

    10 RHEL 6.4 Released

    • Yahoo ends telecommuting,
    • Canonical UDS
    • LG purchases WebOS from HP

    11 Passwords Passé

    • FIDO alliance seeks new authentication methods
    • Largest Mersenne prime discovered
  • NEWS

    In the news: Zorin OS 15.2 Now Available; Firefox to Get an Additional Sandbox Layer; Microsoft Defender ATP is Coming to Linux; South Korean Government Considers Move to Linux Desktop; OpenSSH Now Supports FIDO/U2F Security Keys; and System76 Launches New AMD Threadripper Machine.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More