Trust me, You Don’t Need Passwords Anymore
History of Passwords
In the stone age of the internet, people had to use usernames and passwords to protect their data because that was the only option available, but passwords worked really well in that era.
The history of passwords runs back to ancient Rome. The Roman sentries request a password when someone enters a guarded area. With the correct password, they were allowed to access. The first computer password was developed in 1961 at MIT for Compatible Time-Sharing Systems (CTSS). This was considered to be the first attempt to authenticate a user to a computer system. But this was not successful.
Cryptographer Robert Morris developed a one-way encryption function also known as a hashing function that was able to map data to a fixed-sized string that is practically infeasible to invert. Passwords are sent through this hashing function before storage in servers making them difficult or even impossible to invert. In 1979, Data Encryption Standards (DES) was invented which enabled secure passwords for nearly 20 years. Then Advanced Encryption Standards (AES) came into being and is still been used today.
Even though these inventions made passwords stronger, they were unable to provide the required security. Unfortunately, with all these secure methods available still, there are many websites that store passwords in plain text format.
Today’s Situation
In today’s context, passwords are used with a lot of guidelines and constraints to make them more secure. For instance, the user should have a lengthy password with a combination of capitals, simples, numbers and symbols. Also, users are advised to use distinct passwords.
But how far are these solutions feasible?
Due to the exponential growth of web-based services, a single user possess hundreds of accounts. Therefore using distinct passwords satisfying all the given constraints and guidelines are impossible. So people tend to use simple passwords or to reuse the same password simply because it’s human nature.
The current statistics show that approximately 2 billion passwords are stolen every year. 20% to 50% of help desk calls are to password resets and an average person spends 12.6 minutes each week to reset passwords. 72% recycle their passwords, 17% forget passwords frequently and 31% forget passwords occasionally.
So by now, it is pretty clear that passwords can not protect us in this vastly complicated web-space and it’s high time to innovate.
Solutions Available
There are many progressive solutions brought forward to minimize the aforementioned issues. These are the most widely used solutions,
One Time Passwords — A dynamic password that is available on a device that the user owns and is valid for a single user session.
Password managers — An application that allows users to create, store, and manage their passwords for web services.
Multifactor authentication — A mechanism that uses more than one factor to authenticate a user to an application. Most often, username and password login become the first factor and SMS OTP, Email OTP, or TOTP becomes the second factor.
Magic Link — An email containing a link is sent to the user’s email. When the link is clicked, the user is successfully logged in to the account.
Although these solutions are somewhat secure than using the basic username and password login, the users have to go through a cumbersome process to authenticate themselves. For example, if they use SMS OTP they have to have a mobile phone with them. Other mechanisms like email OTP or the Magic link might require the user to login to their email account which is not safe when using an unknown device.
The Ultimate Solution
The downside of passwords is that a user secret is stored in a remote server. This makes those servers vulnerable to attacks. The above-mentioned solutions are unable to prevent phishing and replay attacks.
But what if we can store our secrets in a device that we can trust? This is where public-key cryptography also known as asymmetric cryptography comes in.
Passwordless authentication is primarily based on public-key cryptography. During the registration process, an asymmetric key pair is generated and the private key against the specific service is securely stored in the user’s device and can only be accessed with the user consent. The public key is sent to the remote server where the user requests services from.
FIDO2 or WebAuthn is a set of open standard specifications built by FIDO Alliance and W3C that enables secure passwordless authentication. It is built on public-key cryptography as mentioned earlier. It facilitates users to leverage devices to easily authenticate themselves to online services in both mobile and desktop environments. Now, leading companies such as Microsoft have announced their support for FIDO2 for Azure AD and Windows 10 through the use of Windows Hello. Also, almost all browsers support WebAuthn specifications or FIDO2. If you are interested in diving deeper into more technical details, refer to the article on WebAuthn.
There are several benefits of going passwordless,
Improved Security — Passwords are not sent through an unsecured network and are not stored in remote servers. Reduce the risk of replay attacks and phishing attacks.
Better user experience — Users do not need to remember passwords. And no need to go through a cumbersome process to authenticate themselves. A built-in biometric authentication system can authenticate a user securely.
Scalability — Can handle several accounts with complete isolation from one another.
Low implementation cost — The available WebAuthn APIs and FIDO servers make the implementations fast and cost-effective.
Best way to go passwordless
WSO2 Identity server provides an open-source implementation for passwordless authentication with FIDO2. Identity server is well known for its ability to build better CIAM solutions. It provides easy setup, user-friendly authentication and also, it is extensible and flexible due to its open-source nature.
Everything said in brief, I would conclude my article leaving you a lot to research. Hoping for a more secure passwordless future.
