The Curse of Passwords in a Digitalizing World
The latest TBSP release on GCP gives users the possibility to use FIDO-U2F as second factor protection, along with the user password.
For the next release of TBSP, TYMLEZ intends to implement the passwordless authentication option for FIDO2-enabled authenticators.
The majority of authentication systems today still rely on a user/password system. In the ideal case, passwords are complex secret words that must be stored server side in an encrypted manner. The user must provide this password to access an online service. However, passwords are extremely vulnerable to several types of attacks. Their strength depends on their complexity and they should be used only once per account and be changed every now and then.
In a further digitalizing world, more services are being offered online, resulting in users creating a new account for each system. As a result, the management of passwords is becoming increasingly complex, and for the average user calls for the need of simplification ergo new solutions.
Public Key credentials for authentication
Public key credentials are based on private and public key keypairs. The private key is a secret that only the owner of the keypair can provide.
- Public keys are linked to a user at signup. They don’t need to remain secret, since they only serve to prove the possession of a related secret.
- Private keys are used to prove identity at authentication, in form of digital signature of a random challenge. The digital signature is verified server side, with the user’s registered public key part. If the signature is valid, the user is authenticated.
While a password-based authentication systems’ strength relies on static server-side secrets, public-key credentials rely on dynamic proofs generated client-side. This means:
- No sensitive information is sent to or stored in the server and.
- Signed challenges (as opposed to passwords) cannot be reused to gain access, since every new login attempt is linked to a new random challenge.
By adopting public key based credentials, authentication systems do not need extra layers of security for the public key credentials database, which is the case for password storage. A hacker who has a number of public keys cannot use them to access to the system, since he requires the private keys to sign the authentication challenges. Nonetheless , the challenge remains for a user to keep his signing entity protected.
FIDO2: Future of Authentication
The FIDO Alliance is an open industry association founded in 2013. It focuses on authentication protocols based on public key cryptography to reduce/eliminate the world’s dependence on passwords. It has published several sets of specifications, like:
- FIDO Universal Second Factor (FIDO U2F): Devices implementing the FIDO U2F specifications can be used as a second factor protection together with a password. These are mostly hardware devices that can be plugged in via USB (or connected via NFC or Bluetooth) and request a user presence gesture (like touching the device). This has been relabeled to Client to Authenticator Protocol 1 (CTAP1).
- FIDO2: Comprises FIDO Client to Authenticator Protocol 2 (CTAP2) and W3C’s Web Authentication (WebAuthn) standards.
CTAP2 extends CTAP1 to enable passwordless authentication. This is done by introducing device-side authentication using a PIN or biometric function to unlock the FIDO key store. As a result, users no longer have to generate and manage several complex (and difficult to remember!) passwords, since:
- A single FIDO2-authenticator protected with a single PIN/Biometric can be registered with many online systems as required.
- Privacy is preserved: Since every credential is different and two credentials cannot be linked together anyhow, so they cannot be used to track users across different accounts.
- Secrets to unlock FIDO2 Key Stores never leave the client, so they cannot be stolen.
Online services are encouraged to allow users to register all of their authenticators, which can be:
- Platform specific: built into the computer/mobile device. For example, Windows 10, from version 1809, provides the Windows hello FIDO2-authenticator. The latter can be configured to use either PIN or biometrics (fingerprint or face recognition) as protection mechanism.
- Cross-platform: independent hardware device such as the eWBM biometric device and PIN-protected yubikeys of the fifth generation, that are plugged in via USB or can communicate via NFC or Bluetooth (model-dependent).
Users are encouraged to take advantage of both types and register multiple FIDO2 authenticators. This way, they can use the most convenient one depending on their situation and have account recovery capability in the event one is lost, stolen or damaged.
The W3C WebAuthn Standard has already been implemented by most internet browsers. It provides automatic communication channel between web clients and FIDO2-authenticators.
In order to integrate FIDO2 into an existing web application:
- The web server needs to be modified to enable registration and storage of public key credentials, generation of random challenges for users at every login attempt, and validation of digital signatures of those challenges with their registered public keys for granting access.
- The web client needs to be modified to request a challenge from the server at user’s login, using the WebAuthn functionalities provided by the browser to locally connect to and unlock the authenticator, obtain a signature for the challenge and send it back to the server for validation.
Blog written by:
Blockchain researcher and developer with a strong background in data analysis