It’s Time to Kill the Password

According to Microsoft, passwords have been there since the early days of computing, and they have outlived their usefulness. The other cumbersome activity is remembering them regularly or changing them into complex alphanumeric strings that are hard to remember. It is not the best of the security solutions.

For decades the computer industry focused on securing the devices. This model now needs a makeover. Securing devices is vital these days, but it is not enough as there is more to it. One should secure information of the individuals or the users using the device.

Trying to understand the vulnerability from a layman's point of view

Suppose one had some valuable jewelry stashed away in a safe somewhere and wants to access it. The owner sends someone else to get it. The only way to open the safe is to give the locker code to the person who will open it for the owner. The code is written on paper, put in an envelope, closed, and handed to that person. The person has to go all the way down the street to get to the safe. On the way, the code could be lost or stolen. Or the person trusted to get the valuables commits fraud and decamps with the jewelry.

Will anyone want this kind of security? No. It does not seem secure, as the problem here is that the code handed over became the shared secret. It is the same problem with passwords.

When you need to log in to a website to access your bank account or an email, you type the password sent to the server to tell that you are that person claiming to be the account holder. A password is the only protective thing standing between the bank account, email, or any other sensitive data. So, if the hacker manages to get hold of the password by either stealing it or guessing it because the password was weak, they can breach the system and access the data.

Statistics reveal that stolen or weak passwords cause 80% of all hacking activities.

Passwords are the gateway to your critical data

No matter how many locks or how heavy they are, putting them on house doors is useless if one door is left open. A theft can cause extensive damage, and other locks will be of no use. Nowadays, we all have multiple accounts in our systems, such as our organizations or business portal, bank accounts, multiple email accounts, various social media accounts, and many more. If one weak password gets compromised and one has repeated the same password across accounts, it compromises the other security measures.

Passwords Managers help keep data more secure. However, they cannot prevent passwords from getting stolen through phishing attacks. This risk, however, can be minimized by using 2 -Factor Authentication (2FA). The increase in cybercrimes, especially in the last decade, prompted greater awareness. Hence, it resulted in the 2FA from 28% in 2017 to 53 % in 2019.

However, 2FA is still not robust against sophisticated phishing attacks. Users even add to the problem as they continue to use weak passwords. The main reason cited for this behavior is convenience.

So how does one stop sharing their secrets?

If passwords are secret and meant to be so, the best way is to stop sharing them. But while we consider sharing with another person as a risk, the problem is that we do not realize that we are sharing our passwords with the web app where we are login in, and we do not have an option. We know the risks involved, yet we go ahead; otherwise, we can’t carry out further operations.

The solution from Web Authentication

Web Authentication eliminates the need for a password. It uses asymmetric encryption, consisting of a key pair with a private key and a public key. A public key used for encrypting something can only be decrypted with a corresponding private key.

For example, if you want to send a secret message to someone. The message is kept in a box with a key and locked. However, it cannot be unlocked by the sender. The box in which the message gets stored in the public key, and the key that can open the box is the private key. One can freely distribute copies of the public key to anyone. In this case, the box will be locked only, and the secret message sent to the intended sender won't get revealed without the corresponding private key. So, the private key remains a secret. It is not shared with anyone. This mechanism is the foundation of WebAuthn.

How does WebAuthn works?

WebAuthn allows one to log in to a website using hardware devices such as a USB Security Key, Windows Hello, or the Apple TouchID. These are known as authenticators, and they store a new key pair known as credentials which involve a private key and a public key. These credentials help to register with a website. After registration, the credentials are retrieved by the authenticator to log in the user to the website.

The user instead of sending the password to the server, the server sends a random string. It is to challenge the user. The user signs this challenge with his private key, which produces a hash. The users send this challenge hash back to the server with the corresponding public key. The server verifies this hash with the public key, proving that the user has the corresponding private key, and thus the authentication becomes successful.

In this process, no secrets get hared. The database storing the public keys is no longer significant to the hackers.

Conclusion

Web authentication is a reliable and safe authentication mechanism. It eliminates the use of passwords and relieves users from memorizing them