3 Types of Passwordless Authentication for Web 3.0
This article was written by Mike Truppa, a content developer and blockchain expert at Webstacks, a website and marketing operations agency helping high-growth SaaS, FinTech, and Blockchain startups scale.
Passwordless authentication is the future of online security, and promises a future where users don’t need to remember username and password combinations, spend time resetting passwords, and worry about the security of their personal and financial information being stolen.
Passwordless authentication is a fundamental shift in how people will access their tools and information online, and it will provide more security, prevent billions in losses, and create greater transparency.
Let’s explore the different types of passwordless technology and compare a few companies offering passwordless authentication software.
What is Passwordless Authentication?
Passwordless authentication is a method for verifying an internet user’s identity without requiring a password.
Types of passwordless authentication methods in use today including, magic links, one-time passwords (OTP), biometric authentication, and public-private key pairs using blockchain technology.
Is two-factor authentication (2FA) passwordless authentication?
Because the nature of two-factor authentication (2FA) is to add an additional layer of security to passwords, it can sometimes be mis-categorized as passwordless authentication.
However, 2FA methods such as SMS-based authentication would still be considered a one-time password which is a form of passwordless authentication.
3 Types of Passwordless Authentication that Eliminate Single Points of Failure from Centralized PAP-based Authentication
Today’s password authentication protocols (PAP) are designed with centralized intermediaries or organizations that maintain a database of username-password pairs to prove a user’s identity.
The central point of failure of PAP-based authentication puts people at risk of hacks, data breaches, identity theft, fraud, and leaks, all of which can be mitigated with passwordless authentication.
1. Public-Key Cryptography and Blockchain Authentication
Public key cryptography is a form of public and private key authentication, which has been broadly used in the current information world including WebAuthn, machine-to-machine communication, etc.
Public-key cryptography has exploded in popularity in the last decade in large part because of public blockchains like Bitcoin, Ethereum, and Solana that use public-private cryptography to secure blockchain transactions of digital assets and Non-Fungible Tokens (NFTs).
Because blockchain technology is built on top of public-key cryptography, they can be confused as one and the same. However, public-key cryptography doesn’t necessitate authentication with a blockchain.
For example, although Magic enables Web 3.0 platforms to connect to public blockchains like Ethereum, throughout the entire authentication flow there is no interaction with the underlying blockchain; no consensus is involved or required to prove the user’s identity.
How does blockchain authentication work to prove a person’s identity?
Instead of using the traditional method of typing in a username and password, blockchain authentication uses public-key cryptography for self-sovereign identity management.
When a user creates a wallet account on the blockchain, they receive a private key which only they know, and it is paired with a public key that connects them to the wallet address.
To access Web 3.0 applications or complete blockchain transactions, the user signs transaction requests using their private key which authenticates their account access.
How are blockchains secured using public-key authentication?
Blockchains have a variety of security mechanisms to protect the integrity of the blockchain and secure user’s information.
Bitcoin’s Proof-of-Work and Ethereum 2.0’s soon to be Proof-of-Stake consensus mechanisms ensure censorship resistant networks that are practically impossible to hack.
To hack (i.e. modify transactions on a blockchain’s distributed ledger) a malevolent user would need to control 51% of Bitcoin’s hash power, or more than 33% of Ethereum’s stake.
For example, the top four Bitcoin mining pools which power Bitcoin’s Proof-of-Work consensus, control ~60% of the mining power, and to manipulate the network, all four of these independent miners would need to collude.
As long as someone does not have access to your private key, it is highly unlikely for someone to access your wallet or impersonate the identity tied to your public-private key pair.
2. Decentralized Authentication
Decentralized authentication means no single centralized platform, organization, person, or entity is needed to verify your identity.
While blockchain authentication has proven to be a strong use case for decentralized authentication, the two are not the same. You don’t need blockchains to use decentralized authentication methods.
What is an ITF?
Identity Trust Fabric (ITF) is a decentralized mechanism for establishing trust between credentialed users. ITFs act as middlemen by interacting directly with a centralized intermediary.
For example, an ITF could handle all the identification and access requests needed from a centralized party. ITFs decrease the risks of sending your confidential information to an organization.
What are the tradeoffs between decentralized authentication and blockchain authentication?
The main argument for using decentralized authentication methods like ITFs instead of blockchain authentication is the speed and cost of using blockchains.
However, with the emergence of lightning fast layer one blockchains like Solana, layer 2 solutions built to help Ethereum scale transaction throughput like Polygon, blockchains are quickly becoming a faster, cheaper alternative to traditional decentralized authentication protocols.
ETH 2.0 brought Proof-of-Stake (PoS) and sharding to the scaling conversation. These aren’t bad options as they do increase the L1 transaction throughput, but to reach scalability where there are millions of transactions on the network on any given day, PoS and sharding simply aren’t enough.
3. Distributed Authentication
Distributed authentication is a collection of hosts interconnected by a single network. While distributed authentication is the leading choice based on the adoption across the industry, it poses a high amount of security threats.
Two Common Flaws in Distributed Authentication
Two main flaws with distributed authentication are:
- Unconstrained delegation
- Unbalanced authority
What is unconstrained delegation?
Unconstrained delegation allows some entity to authenticate you as an individual and also authenticate on your behalf (i.e. impersonate, act as you) to another party.
While unconstrained delegation has benefits such as allowing administrators to update database servers from a web server, it creates an area of exploitation where a hacker with access to admin credentials can unilaterally compromise the system.
Unconstrained delegation can lead to data breaches, exposing millions of confidential usernames and passwords, causing fraud and potentially billions of damages every year.
What is unbalanced authority?
Unbalanced authority is when a specific centralized party or system has information that identifies specific principles within the system (e.g. users).
Unbalanced authority occurs between enterprise businesses where an external business partner is trusted inside the system, allowing them to access company resources.
When the access granted is over-provisioned it allows external companies access to too much sensitive information that can cause harm to the internal organization and their customers.
What type of passwordless authentication does Magic use?
Magic uses public-private key authentication. While the authentication flow doesn’t involve interacting with blockchain, Magic’s authentication allows users to interact with blockchains after they are authenticated by binding the authentication to 16+ different blockchain key generation schemes.
Borrowing security principles from blockchain hardware wallets like Ledger, Magic secures accounts using a combination of hardware wallet security and AWS’s Delegated Key Management.
Software developers can use Magic plug-and-play Software Developer Kit (SDK) to quickly add magic links secured with public-private key authentication to their application.
A magic link is a special URL that represents a login URL, typically emailed to users at login. This link contains an embedded token that authorizes users without requiring a username or password. Magic also supports other login methods like SMS, Social Logins, WebAuthn and MFA.
The Type of Passwordless Authentication You Choose Will Be Different for Each Application’s Security Requirements
Passwordless authentication removes the need to remember passwords and for password managers, and improves upon the security benefits of password-based authentication.
Scalable passwordless authentication tools like Magic help software developers reduce the complexity of securing their applications, while simultaneously hardening security using the best aspects of public-private key cryptography.
With the mainstream adoption of blockchain technology transforming every business sector, having the option to bind authentication with 16+ blockchain key generation schemes helps today’s Web 2.0 companies prepare for the future of Web 3.0.
Passwordless authentication isn’t a zero-sum game. Every business has different needs, and not every type of passwordless solution will fit within the regulatory and compliance needs of each business.
