Authentication without Passwords?

I have been warning about the weakness of the password for a number of years.  Passwords no longer provide strong security.  Passwords are too easy to crack using automated techniques, and are stored insecurely in many environments.  Most passwords are too short, or easily guessable.  Many users reuse the same password on multiple sites.  But the password remains the most popular form of authentication among most users.  Two-factor and multi-factor authentication provides additional security, but adoption by the user community remains low.

The normal login process involves providing your identity (user name) and proof or authentication of your identity with a password.  The device, website, or network service provides authorization for the user to access the resource.  In this process, the password is usually hashed (one-way encryption) and compared to a stored password hash on the resource.  It is the theft of these stored password hash databases that constitute the main security issue for passwords.  Once the password hashes are stolen, they can be solved for plain-text through off-line brute force password cracking techniques, or used as is in various “pass the hash” exploits.

Two-factor authentication couples your password with another authentication factor.  2FA prevents anyone from logging into your accounts with only a stolen password.

Microsoft, and other companies such as Mozilla, and Google have been moving toward a password-free form of authentication called WebAuthn.  Recent versions of popular web browsers Edge, Firefox, and Chrome all support WebAuthn.  WebAuthn conforms with the FIDO Alliance and CTAP (Client To Authenticator Protocol).  On November 20th, 2018, Microsoft rolled WebAuthn out for 800 million Microsoft account holders to login without a password to Outlook, Office365, Skype, and Xbox Live.  Password-free authentication methods include biometrics such as finger prints or facial recognition, or devices such as the YubiKey or Google’s Titan.

WebAuthn uses public key cryptography. This uses an encryption key pair, a public key, which you can give to a website, and your private key, which never leaves your possession.  Only information locked using your private key can be unlocked using your public key.  In authentication, the website or other service generates a very large random number called a challenge.  Your private key is used to encrypt the provided challenge, and the website uses your public key to decrypt the challenge.  If the result matches what they sent you, authorization occurs and access is granted.

Password-free encryption looks to provide a truly secure form of authentication without the extra step of two-factor authentication.  The difficulty for most users will be creating and managing the public /private key pair, and securing their private key.  I see WebAuthn as a great step forward, with some adoption issues, and I’ll be looking for opportunities to set it up and use it myself.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.