I have been warning about the weakness of the password for a number of years. Passwords no longer provide strong security. Passwords are too easy to crack using automated techniques, and are stored insecurely in many environments. Most passwords are too short, or easily guessable. Many users reuse the same password on multiple sites. But the password remains the most popular form of authentication among most users. Two-factor and multi-factor authentication provides additional security, but adoption by the user community remains low.
The normal login process involves providing your identity (user name) and proof or authentication of your identity with a password. The device, website, or network service provides authorization for the user to access the resource. In this process, the password is usually hashed (one-way encryption) and compared to a stored password hash on the resource. It is the theft of these stored password hash databases that constitute the main security issue for passwords. Once the password hashes are stolen, they can be solved for plain-text through off-line brute force password cracking techniques, or used as is in various “pass the hash” exploits.
Two-factor authentication couples your password with another authentication factor. 2FA prevents anyone from logging into your accounts with only a stolen password.
Microsoft, and other companies such as Mozilla, and Google have been moving toward a password-free form of authentication called WebAuthn. Recent versions of popular web browsers Edge, Firefox, and Chrome all support WebAuthn. WebAuthn conforms with the FIDO Alliance and CTAP (Client To Authenticator Protocol). On November 20th, 2018, Microsoft rolled WebAuthn out for 800 million Microsoft account holders to login without a password to Outlook, Office365, Skype, and Xbox Live. Password-free authentication methods include biometrics such as finger prints or facial recognition, or devices such as the YubiKey or Google’s Titan.
WebAuthn uses public key cryptography. This uses an encryption key pair, a public key, which you can give to a website, and your private key, which never leaves your possession. Only information locked using your private key can be unlocked using your public key. In authentication, the website or other service generates a very large random number called a challenge. Your private key is used to encrypt the provided challenge, and the website uses your public key to decrypt the challenge. If the result matches what they sent you, authorization occurs and access is granted.
Password-free encryption looks to provide a truly secure form of authentication without the extra step of two-factor authentication. The difficulty for most users will be creating and managing the public /private key pair, and securing their private key. I see WebAuthn as a great step forward, with some adoption issues, and I’ll be looking for opportunities to set it up and use it myself.