When my Friends peeked into my Social Account !!
Need Passwordless Authentication by the way.Fatigue of passwords and tired of protecting them from jerks.
Story-1:
I am pretty conservative. At least with my passwords. How do I choose my password is so weird- My crush’s name followed by her birthdate. And all of my passwords do follow this principle; moms name and birthday or sisters’ name and birthday. People who do social engineering can simply peek into my digital arena and impersonate myself. But I regret to change passwords as I love them and love the way they are coined. My close set of friends who know my crush name asked about her birthdate. And guess what, this mad man has not realized that it is going to be a disaster, revealed it and in two weeks time, most of my social accounts get compromised. Bloody high functioning sociopaths.
They simply get into my FB account; uploaded some weird pictures, posted things that I would regret posting on my wall and added some political comments too. It hurts me less; they did it for fun. But it is pretty annoying. Not once or twice they had done it ten or twelve. I changed passwords but my psychology never changed and hence the format of my passwords never changed. And they do repeating the social engineering techniques to peek in.
Moral:
- Change passwords often
- Beware of social engineering and bloody high functioning eaves-droppers
- Turn on multifactor authentication/adaptive authentication (we can see them in a later blog)
- Suggest the systems for Passwordless Authentication
Multi-factor authentication is leading the Identity and Access Management from the front. We will definitely look into them later.
But why need a password plus secondary authentication if we can go 100% passwordless?
People fear changes. People are pretty conservatives. The changes in the world have come to existence upon great rebels and blood strain. When people said the earth is a globe; this had an impact on the churches and hence people rebelled. Whenever new inventions got introduced, people rebelled then strat to accommodating them and then get addicted and again rebel if any new thing arrives. All of these modern facilities or equipment we exploit had faced these convicts but are fittest to survive.
In Identity and Access Management, the general DB for a user had been a convenient solution for so long, the ‘Centralized Identity and Access management’. Then decentralised Identity and Access Management had taken the reign over. With the introduction of Identity servers, the IAM use cases are eased out.
But it is obvious that IAM enthusiasts and Identity providers are willing to provide passwordless authentication. But are we prepared?
Auth0 has extended support for passwordless authentication.WSO2 is keen on this and could expect the feature in the upcoming releases.
Story-2:
I was staying in boarding and I have the only one and unique key to my boarding and locked it down usually while I was going out. I expected that no one will have a spare key. But to my dismay, my friends had it made a copy of the keys and they entered and consumed all of my snacks and watched movies in my wifi package which is still breathing its last MBs.And they were sleeping peacefully while I returned from my company.
This is similar to authentication with passwords. It is possible for people to get an idea of your password(door-key in my example) and peek in using it and can enjoy the facilities as you do; ie impersonate (enjoy snacks and use my wifi)
Passwordless authentication doesn't mean a room without a lock. It will be a door without traditional key-lock but have strong modern locks.
Passwordless never meant no securities.It just evangelizes you don’t neeed to remember passwords.
Say your boarding room is facilitated with door with a pin-code lock. And codes are dynamically created. If not, it is similar to the key-scenario; people will get the code and use.
- You are registered to the system with your phone number.
- You are trying to unlock the door.
- The request is sent to the Identity Server. Considering WSO2 Identity server as an example.
- Identity server checks whether the request from the door is attached to a phone number. If so, send a code as SMS to the attached phone number.
- Now you can enter the code on the pane, and happily go inside.
See how dynamic it is. Though your friends try to open, it is not possible by all means as code is sent to your phone.
How do We achieve Passwordless Authentication
There can be several ways in practice for passwordless authentication and I conclude some of the ways here. But with big shots showing interest in this field, it is pretty sure that we can have some novel ideas coming in.
- Authentication with a Magic Link via email:
- Here to enjoy a service from user it is required that you provide your mail.
- Then a unique token is created and stored and sent to mail as a link.
- When the user gets into his mail and clicks the URL, he gets verified and authenticated.
- Then in return, he is provided with long term token and this token is stored in as a browser cookie.
2. Authentication with a one-time code via e-mail:
- User is required to provide an email address when he is requested to login.
- A one-time usable code is sent to mail.
- Then the user has to type the code received into the application.
- The entered code get verified and the user got authenticated and the session begins hither.
3. Authentication with a one-time code via SMS:
- User is required to provide a phone number when he tries to log in.
- Then a one-time usable code will be sent to the given phone number.
- The app can automatically detect the code received on SMS or the user has to manually enter the code received into the app to log in.
- The code entered is validated and the user gets authenticated.
4. Authentication with a fingerprint/IRIS Scanner(BioMetric):
This has been the fanciest way of authentication.
- When a user us trying to authenticate the user is prompted to provide his fingerprint or an Iris scan.
- Once it is provided, a key is generated corresponding to the fingerprint/Iris scan.
- Then each time Fingerprint/Iris scan is used the key is again generated and compared with the saved key.
5. Using a secondary device for Authentication :
- Get a user id (say using a QR/NFC/RFID tags) from consumption device after giving away your phone number or mail as registration ID.
- This QR is attached to the account that is logged in using the same phone number or mail.
- Then from the authentication device, you can approve the consumption of Service.
- CIBA is a new authentication flow supporting this kind of decoupled authentication. See here for more detail.
Advantages of Using Passwordless Authentication
Why Passwordless authentication is one among the best is because,
- It improves User Experience (UX):
Even for Single sign-on, it is required that you remember a password and if it compromised literally every service provided to you is vulnerable to attack as single sign-on has to trade-off user experience at the expense of single point of failure.
But here in Passwordless Authentication, since no passwords are there to be remembered, it enriches the user experience as people feel less fatigue with passwords.
- Better Security:
User-controlled passwords are vulnerable as they can be re-cooked with social Engineering or eavesdropping. Using modern powerful computers, it is still possible to have a brute force attack or use human weaknesses or even eaves-drop to compromise the system with your passwords once it is known to any attackers. As people use a set of passwords repeatedly over time and even reluctant to change passwords often and the simple foolish practices in passwords people use leads to attacks.
- Reduction in Cost of Maintenace:
Password needs to be stored and protected. Needs to save hashes of passwords to prevent even the developers ill-treating them. And require maintenance too. And these require staff workforce.
- Add layers to Authentication:
Some passwordless authentication mechanisms require two decoupled devices; one to consume service and the other to authenticate. This add on layers of security to the existing security measures.
Myths :
The myth persists that passwordless transactions are insecure. The term is what it causes the kind of myth. Rather using the term “Passwordless Authentication”, it is advisory to use “Dynamic Authentication” which gives a positive feeling all around. And people will start looking in a more positive way.
What “Passwordless Authentication” actually does is rather than relying on static passwords, of which people almost reluctant to change unless it is required, it relies on authenticating each time challenging the requesting party to prove its identity.
Though there are various advantages accumulating around passwordless authentication, there are threats in practising it too. But glad that the threats are weaker than in any other authentication systems.
I am glad that Identity servers are coming with the initiatives to include passwordless authentication so that service providers can adapt wich in return customers will be benefitted.
“Hackers: Social Engineering can peek anywhere”
“Passwordless Authentication: Hold my beer !!! Coming towards thy.”
