Exploring FIDO2 Functionality on the SwissPass Card: A Comprehensive Review with Testing Insights

Dr. Emin Huseynov
4 min readJan 26, 2024

--

SwissPass (new generation)

The SwissPass card has become an integral part of Switzerland’s public transportation system, offering users a convenient and unified way to access various services. In recent times, the SwissPass card has introduced FIDO2 functionality, adding an extra layer of security to the user experience. When I learned about this feature, I couldn’t help but think about how cool it is for any Swiss public transport user, like myself, to be able to use it as a secure authentication device that we carry anyways. Unfortunately, after testing, it turned out not as ideal as I imagined.

In this article, I will delve into the FIDO2 features of the SwissPass card, examining its strengths and potential areas for improvement.
Please note that FIDO2 functionality is introduced in the latest generation of SwissPass cards, approximately those issued in 2022 or later.

Description of new features on SwissPass’s website (screenshot taken on 25/01/24)

Despite SwissPass’s claim of supporting the FIDO standard for secure online login across various services like Facebook, Google, and Microsoft Office 365, my tests revealed a discrepancy. Not all of these services actually fully support SwissPass’s FIDO2 feature, highlighting a potential gap between the stated information on the website and the practical implementation of this security standard.

NFC Reader Requirement

Before dissecting the platform-specific tests, it’s paramount to highlight the crucial role of a reliable NFC reader in facilitating secure communication between the SwissPass card and the authentication system (as NFC is the only interface it has). Throughout our testing, the SwissPass card demonstrated unstable communication with some NFC readers (such as ACS ACR122U). However, once I switched to a good one, I had a seamless experience in the authentication process. However, using NFC with iPhone (I used iPhone 15), was still causing issues.

Technical Details about SwissPass FIDO2 Authenticator

  • AAGUID: 37fecf7b87a6a14ebefe42ff4412fa27
  • Common Name: SwissPass FIDO
  • Organization: SBB
  • Organization Unit: Authenticator Attestation
  • Certificate Valid From: October 21, 2021
  • Certificate Valid To: October 22, 2031

FIDO Certification status

The product is not listed as a FIDO-certified product according to the official FIDO Alliance certification registry, and it is also not present in the Metadata Service (MDS) database. This absence from certification records may be the source of many problems and compatibility issues, which we will describe in more detail later.

Platform-Specific Testing

1. GitHub and Facebook: Worked Fine

The SwissPass card demonstrated seamless integration with GitHub and Facebook. The FIDO2 functionality effectively facilitated secure authentication processes on both platforms.

2. Randomly selected demo sites and services: Worked Fine

The SwissPass card performed well in a variety of test/demo sites and systems that did not enforce attestation. Notably, the customer area of www.token2.com exhibited smooth functionality, allowing to register and later log in without any issues.

SwissPass registered as a security key in the Token2 customer area

3. Google: No Compatibility

Error when logging in to Gmail

The SwissPass card allowed enrollment on Google, indicating initial compatibility. However, during subsequent login attempts, it failed to recognize the key as enrolled. This presents a limitation when attempting to use the SwissPass card with Google services.

4. Microsoft: No Compatibility

The SwissPass card did not work with Microsoft services at all. This lack of compatibility is a notable consideration for users who heavily rely on Microsoft platforms for authentication.

5. AGOV: No Compatibility

Similar to Microsoft, the SwissPass card did not demonstrate compatibility with AGOV. Users attempting to use the SwissPass card for authentication on AGOV platforms may encounter issues.

Certification and Trust

In conclusion, while the SwissPass card functionally excels as a FIDO2 device, it falls short in achieving recognition and trust from major systems. Notably, the card has not undergone the necessary certification and verification processes with the FIDO Alliance. This lack of certification means the card is not officially “trusted” by major systems, impacting its widespread acceptance. Addressing these certification concerns will be crucial for the SwissPass card to establish itself as a recognized and reliable FIDO2 device in the broader authentication landscape. Users are encouraged to stay informed about updates and improvements that may enhance the card’s compatibility with a wider array of platforms.

Summary

The notion of using a transport card as a passkey seems convenient at first, but as discovered, it may be too good to be true. Moreover, for users holding an older SwissPass, upgrading to the latest generation with FIDO2 functionality comes at a cost of 30 CHF. Interestingly, for the same price, users can order almost three fully certified FIDO2 cards from token2 (current price 10CHF each). Token2 cards will work with every system without encountering the issues faced by the SwissPass card.

Token2 T2F2-NFC-Card (10CHF)

As users navigate the landscape of FIDO2 authentication, it is crucial to consider the trade-offs between convenience, certification, and cost to make an informed decision that aligns with their specific needs and preferences.

--

--

Dr. Emin Huseynov

IT researcher focusing on multifactor authentication technologies. Academic affiliations: University of Geneva & Azerbaijan Technical University