Article

A world without passwords: How Hideez contributes to building a secure future

One in three cyberattacks today begins with a compromised password. Businesses lose money, time, and reputation trying to patch up outdated access systems. However, in a digital world that changes daily, patching up the old is not an option.

  • Illustration

    Hi, I'm Oleg Naumenko, CEO of Hideez and a member of the FIDO Alliance. Every day, my team and I work to build secure and easy-to-use passwordless access systems.

Once, I experienced firsthand what a cyberattack is like: hacked accounts, a zeroed-out card balance, and lost access to email. It wasn't just an unpleasant experience; it was a cold shower for me, making me think about how much in life we rely on such an unreliable thing as passwords.

In this article, I will share why abandoning passwords is becoming a must-have for modern businesses and whether it is possible to get rid of them completely.

Where did the idea for passwordless authentication come from? 

The main reason for most hacked accounts is trivial: simple passwords that are repeated on all existing accounts. Logically, it is simply unrealistic to remember unique, reliable passwords for hundreds of services. It was the problem that prompted me to look not for a “patch,” but for a completely new digital security architecture — one without weak links such as passwords.

Founding PocketBook in 2007 was a key lesson for me: technology should work for people, simplifying life, not complicating it.

Later, the PocketBook team — Denis Zaliznyak and a few engineers — and I founded Hideez. Using our knowledge of cryptography and firmware, we wanted to create a device that would securely store passwords. This is how Hideez Key was born — a physical token that provided secure access to accounts without the need to remember dozens of complex combinations.

Hideez Key combined hardware encryption with local data storage. It worked autonomously, without a connection to the cloud. This eliminated the risks of centralized password storage and became a starting point for us in creating decentralized identity verification solutions. 

Passwords are dead — good for them 

In 2018, our team participated in the Mach37 acceleration program in Virginia, one of the leading platforms for the development of cybersecurity startups. We were the only project from Ukraine, and this experience was a turning point for us. It forced us to look at the product from a different angle and clearly define who we work for. Instead of focusing on the consumer market, we focused on the B2B segment: solutions for corporate clients, government agencies, and critical infrastructure, where security is a vital necessity.

We also quickly realized that the root of the problem lies in passwords. People tend to use the same combinations for different services, make them too simple or, conversely, so complex that they have to write them down on a sticker and hide them at work. And hackers need very little to break in, namely, phishing and a little social engineering. And then even two-factor authentication doesn't always protect.

This is how our solution for passwordless authentication based on FIDO2 appeared.

FIDO2 (Fast IDentity Online 2) is an international open standard that makes logging in more secure and convenient. It protects against the most common attacks: phishing, credential theft, replay attacks, and more.

The advantage of FIDO2 is the use of public-key cryptography, which completely breaks the old password security paradigm and makes hacking virtually impossible. 

What are the key mechanisms behind Hideez solutions? 

Public-Key Cryptography

FIDO2 uses a pair of keys: a private and a public key.

A private key is like a personal fortress. It is created right on your device and never leaves it. It can be a built-in module in a smartphone or computer, or an external USB key, which is often used in corporate systems. The key remains under your control, and no third-party service can see it.

The public key is a "mirror" of the private key for the server. When you register with a web service (the "Relying Party", or RP), this key is passed to the server and stored there for authentication. The server only sees the public part; your private key remains intact.

When you try to log in, the server essentially gives your device a “task”: to prove that you are who you are. Your device is responsible for this by creating a cryptographic signature using its private key. This signature is then sent back to the server, which checks it against the stored public key. If everything matches, you’re in, and you don’t have to enter any passwords.

Since the private key never leaves your device, we have a picture: no password — no point of attack. And each FIDO2 key is “tied” to a specific domain. This means that phishing sites can do anything, but the key will only work where it is expected. It is this combination of autonomy and binding to the domain that makes passwordless authentication so reliable. 

No shared "secrets" on the server

Traditional passwords, even in encrypted form, are a shared and centralized storage point on a server. FIDO2 keys never leave the user’s device. This architectural approach eliminates the main vulnerability of mass credential leakage. If the server database is compromised, attackers will not be able to obtain the private keys to access accounts, because these keys exist only on the user’s device. 

Protection against Replay Attacks

Each authentication attempt using FIDO2 is unique. The server generates a cryptographic “challenge” — a unique set of data that the user signs with their private key. This signed request is valid only once. If an attacker intercepts this signed request, they cannot reuse it because the next request from the server will contain a different “challenge.” 

Resistance to Man-in-the-Middle attacks

FIDO2 provides protection against MiTM attacks by binding keys to domains. During registration and authentication, a cryptographic check is performed to confirm that the user is interacting with the expected domain. If an attacker tries to push a phishing site, the FIDO2 device will detect the domain mismatch and refuse to sign the request, making it impossible to intercept and use the login data. 

Local user authentication

To access the private key stored on the device, the user must prove their presence with a local action. This can be biometrics (such as Touch ID), a PIN code, or a physical press of a button on a hardware key. This mechanism ensures that even if the device is physically stolen, an attacker will not be able to access the private key without the owner's confirmation. 

Unique keys for each service

The FIDO2 protocol requires that a unique key pair be generated for each site or service. This means that a compromised key on one site cannot be used to access accounts on other resources. This approach eliminates the risk associated with using the same password on different sites and significantly increases overall security and privacy. 

What is the basis of FIDO2? 

FIDO2 is an entire ecosystem created through collaboration between the FIDO Alliance and the W3C (World Wide Web Consortium). It combines two key components that work together to enable passwordless authentication. 

1

WebAuthn (Web Authentication API)

It’s a web standard that allows browsers and operating systems to “talk” to web services. WebAuthn is responsible for the data exchange: it sends cryptographic “calls” from the site to your device and receives unique “signed” requests in response to verify your identity. Essentially, it’s a universal language that allows websites to understand and use FIDO keys. 

2

CTAP (Client-to-Authenticator Protocol)

If WebAuthn is a language for communication between a site and a browser, then CTAP is a protocol that allows your browser or OS to “talk” to the FIDO key itself. CTAP manages the interaction between the software on your device and a hardware authenticator — for example, an external USB key, a built-in fingerprint scanner, or your smartphone. 

There are two versions:
● CTAP1 (formerly FIDO U2F) — used for two-factor authentication ● CTAP2— the latest version that supports passwordless login and allows you to verify your identity locally (using a PIN code or biometrics) 
WebAuthn and CTAP are the basis of FIDO2: WebAuthn provides interaction with the web, and CTAP provides interaction with your physical key. Through this synergy, FIDO2 creates a secure and flexible system that allows you to abandon weak passwords in favor of proven cryptographic methods. 

Technologies and cryptographic foundations of our solution 

We have developed a comprehensive solution that combines our own server software, Hideez Server, with hardware tokens and a mobile application. I should say it again: the private key is generated directly on the device and never leaves it. No credentials, let alone passwords, are stored or transmitted, eliminating the risks of compromising the server database.

Biometrics become part of the cryptographic chain. The mobile application, Hideez Authenticator, turns traditional biometric authentication (such as Face ID or fingerprint scanner) into an integral element of the security chain. It acts as a FIDO2 authenticator, allowing us to integrate our solution into a Zero Trust infrastructure. This provides seamless integration with leading identity and access management platforms such as Azure AD (Microsoft Entra ID) and Okta. And with WebAuthn support and local data encryption, organizations can implement passwordless authentication without the need for physical tokens. 

Practical application 

Technology makes the user experience simple and seamless: 

One-click login

To access the system (e.g., CRM), simply verify your identity with a biometric sensor on your phone or a Hideez electronic key. This eliminates the risks of phishing and saves a lot of time. 

Automatic security

Based on the Hideez Key hardware keys, we have implemented proximity authentication. Imagine: you approach a terminal on a production line and the system automatically authorizes you, and when you leave, it instantly blocks. This not only increases security, but also speeds up workflows. 

Our solution has already been successfully implemented across industries where data security is critical, including healthcare, finance, and government. One of our healthcare clients was able to reduce login times for their staff to 5 seconds, a vital metric when speed matters. 

Basic requirements for the new solution 

When creating our product, we were guided by the principle that cybersecurity is not only about technology, but also about human interaction. Our solution is designed with the human factor in mind, including common errors such as losing a token or forgetting data. This is reflected in the key requirements for the system: 
● Flexibility and resilience to failures. The system provides backup authentication methods and flexible access recovery options. Administrators have access to detailed analytics that allow them to track user behavior and authentication methods. 
● Versatility. The solution is fully compatible with a wide range of mobile device models and operating system versions. 
● Context-sensitive access policies. For the corporate segment, we have implemented a mechanism that allows you to set access policies based on context (time, geolocation, device type, user profile). This provides transparency of all actions and helps detect non-standard scenarios, which complies with the requirements of GDPR, HIPAA, and NIST SP 800-63B standards. 
● Integration into real infrastructures. We have provided easy integration with corporate environments, including Microsoft Active Directory, Entra ID, Google Workspace, as well as hybrid infrastructures. Even in systems that do not support FIDO2, SAML or OIDC standards, our solution can work. 
We are convinced that the future belongs to passwordless authentication. When phishing is a massive phenomenon, the only effective way is to stop using passwords. Therefore, our goal is to make digital security not only reliable but also invisible to the end user. In my opinion, this approach will provide a qualitatively new level of protection without the need to remember complex combinations of characters. 

Conclusion 

In the future, passwordless authentication will become the new norm. The next step I see is the full implementation of the Passwordless Enterprise model, where every access to a system or service in the company will be done without using passwords. The Hideez team is also actively preparing for the era of quantum computing, researching post-quantum cryptography (based on lattice, multivariable and other cryptosystems), as well as new methods of biometric verification. 
Digital security must keep pace with progress. So our task is to transform it from a burdensome obstacle to a natural element of our daily lives in the digital world. 
For a consultation on the Hideez solution, please contact us: moc.hcetokab%40zeedih

Illustration

BAKOTECH is a regional representative of Hideez in Ukraine, Baltic States, Middle and Central Asia. As a True Value Added IT distributor, BAKOTECH provides professional pre- and post-sales, marketing, technical support for partners and end customers.

Follow us:

Write Us

moc.hcetokab%40zeedih

Illustration

BAKOTECH is a regional representative of Hideez in Ukraine, Baltic States, Middle and Central Asia. As a True Value Added IT distributor, BAKOTECH provides professional pre- and post-sales, marketing, technical support for partners and end customers.

Follow us:

Write Us

moc.hcetokab%40zeedih