Passwords however extremely important are seldom liked by any of us. Whether you are an advanced user; a developer or a casual user of Android or iPhone, nobody likes to enter passwords. Despite all the advancements in technology and the promises being made over the past half-century, up until now there hasn’t been any replacement came into existence for the passwords.

A nuisance about the passwords is to create a string of complicated mixture of characters, numbers, and letters and remembering that complicated password just tops it off. So, many of us prefer to create simpler passwords that are easier to remember but are even easier to break by hackers.

For a similar reason, almost none of us find it amusing to enter the password each time we have to log in. Most of us find it convenient just to avail social logins. So, we end up using the identity of one app or website for other apps as well, linking all our identities. Basically, when we are using federated logins, we agree to trust that website to keep our data secure and respect our privacy. And that clearly depends upon the website’s security system.

What are the benefits of social logins?

  • Quick sign up to a website or app
  • A uniform process to log into any site
  • Fewer web apps to deal with

What are the advantages of social logins for developers?

  • Free logins
  • Gives the app more exposure
  • Third party verification involved slows down the process of spam attacks
  • Mitigates the failed login attempts
  • Removes the problem of the ‘forgotten password’ incidents
  • Best suited for social apps as they need social login

Why social logins should be avoided?

  • Changes made to the external platforms can restrict a person from using third-party platforms services
  • The third party can execute data mining and might reveal user data
  • In case the third party can’t keep their platform secure and their data is exposed, your data would also be under threat
  • Social logins cause competition with your own brand identity such as by showing Facebook, Google, or etc. in your login forms.
Why social logins should be avoided?

How password managers saved us?

It’s been sixty years since the technology experts have been trying to devise a solution which excludes passwords from our lives but no promise has been kept to this day. Password managers are a result of the same series of attempts. Surely, password managers have made lives easier as they provide many services at a time.

  • All your passwords are kept in one place in encrypted form
  • Generates strong passwords
  • Automatically log you into sites
  • Stores payment information
  • Online payments are made easier
  • You no longer have to remember passwords

There’s no denying that password managers sure do create complex passwords for you. However using malware that targets PC RAM and some pretty standard memory forensics, hackers could still theoretically extract a plain text master password, or individual credentials for password manager tools on Windows 10 and then use it to breach the password managers.  

And despite all the comfort password managers has brought to our lives, the fact still remains there that we haven’t yet gotten rid of passwords. If we are using password managers, we still have to create passwords that would remain stored in the password manager.

There’s another major potential risk associated with the password managers. When all of your passwords are stored in one place, all of them are exposed to the threat simultaneously. If a hacker gains access to your master password, he will gain access to all your password without making any further efforts which put you under greater security risk.

Imagine, you don’t have to remember passwords at all. Wouldn’t it be a dream come true?

After waiting and constant attempts being made for sixty years, a solution finally has appeared.

This new technology called Web Authentication (also known as WebAuthn) is built upon the old cryptographic basic rules and is supported by most native devices and it frees the user from remembering the passwords.

WebAuthn: A Promise to a Password-free Future

WebAuthn: A Promise to a Password-free Future

WebAuthn has pure aim to be the replacement for the passwords of your online accounts. Many of the browsers such as Edge, Chrome, and Safari support WebAuthn. Its specifications are written by W3C (The World Wide Web Consortium). WebAuthn is exponentially gaining fame across the world and many individuals/companies are adopting this technology.

How end-users will benefit from WebAuthn?

In order to use WebAuthn the user needs an external security device such as FIDO 2 security key or internal authenticators such as fingerprint readers, facial recognition or other biometrics authentication mechanisms to log into the service. With these methods you can log into as many apps as you like while creating as many identities as you wish while each identity would be unique and different from the previous one.

Each identity you create through the WebAuthn will be a virtual one, having no connection with any of the identities you previously created for different apps. This fact is simply a huge leap for net privacy.

Compared to the weak passwords that many people create and use for online websites, WebAuthn is far more secure.

Why? Because passwords are shared secrets that even when hashed can be stolen and used against some other apps. With WebAuthn even if the public keys gets stolen, they are useless. With WebAuthn you don’t have to remember a string of characters as your password. So, there is no hazard of forgetting the complex password when you don’t have to create a complex password in the first place.

A great deal of motivation behind the development of WebAuthn was to alleviate the dependence on the passwords and reliance on the authentication methods that get easily phished.

WebAuthn: An open standard

WebAuthn is an open standard for creating and accessing new key credentials, which is available for everyone. The individuals can create their own security key for the internet. WebAuthn has literally introduced us to a realm of freedom; freedom from the passwords. When WebAuthn arrived, it was necessary that the websites integrate it in order to enjoy its benefits in full swing.  Passwordless is still ahead of us but companies, like Dropbox are already taking advantage of WebAuthn to add a second factor authentication. Microsoft takes one step further and enables Webauthn natively in Edge browser. And now several websites and platforms have integrated WebAuthn which has made the end user experience a best one.  Google, Microsoft, Yubico, MasterCard, Bank of America, and other renowned platforms came forward together to create a solution which frees us all from the passwords. All these renowned platforms have been trying since 2013 and eventually, they have created WebAuthn. The project was named FIDO2. Developers can have a password-free experience for their users. Because all the components are already there and you can create it with other technologies or on your own.

How existing authentication can work along with WebAuthn?

Besides external security keys, such as Yubikeys, Web Authentication also offers the users to use their existing authenticators' such cell phone’s facial recognition, fingerprint scanner, or a retina scanner. You can use local authenticators with WebAuthn to unlock your machine and create and authenticate your identities. WebAuthn along with these technologies can be used to enable two-factor authentication to websites or can also be used as the primary authentication mechanism.

To use WebAuthn involves two steps; registration and authentication. After getting registered with WebAuthn, users can authenticate (login/sign in) with the WebAuthn. Registration involves the creation of a new key pair and attestation but authentication process doesn’t require information about the user and the relying party. Rather than creating attestation, authentication creates an assertion by using the key pairs generated previously.  

What has Web Authentication changed?

What has Web Authentication changed?

Over the past few years, many companies have started to shun the traditional passwords and shift to the comparatively more secure ways of authentication. These methods include biometrics, SMS verification, OTPs, security keys and more.

Web Authentication works as a specification which, by using these methods, lets users log into the sites. Web Authentication has brought a solid authentication mechanism. Both authenticators and web browsers can implement this authentication mechanism. A great number of users can now use Web Authentication after the release of Firefox 60 and Chrome 67. Authenticators such as YubiKey already work with current implementation by supporting the necessary protocols.

For those who choose to use WebAuthn, there won’t be any need for them to create and remember the password.

Plus, several identities created for different sites and apps. That being presented, we are now looking into the future that will recognize the passwords as something from the days of yore.  

This article is based on a Security Weekly podcast called Hack Naked News epidosde #218  with Paul Asadoorian with guest appearance from Marcin Szary. You can watch the full episode here.  

Marcin Szary & Paul Asadoorian talk about Web Authentication.