< text.eapl.mx

Promoting the use of dynamic passwords

Currently, the standard to login to any online service is a username and a password. Has been used for years, and 'anyone' knows what a password is.

A few problems with static passwords

Short passwords are easy to guess. Long passwords are stronger but inconvenient as they take longer to type.

By 2022, we are changing from passwords to passphrases. and instead of remembering simple 'passwords' of 6 or 8 characters, it's encouraged to use longer 'passphrases' of a few words, but a lot of characters

Passwords are somewhat inconvenient, but it's the way we've used to log in to any online service.

There is MFA (Multiple-Factor Authentication) and 2FA (2nd Factor Authentication) which usually is a dynamic code or a biometrical on top of the 1st Factor, being your password.

1st Factor is 'Something you remember', and 2nd Factor is 'Something you have'.

Do you remember all your passwords?

'Something you remember' relies on a weak human characteristic. Our memory.

So, we write our passwords on paper, or we create and use password managers to avoid remembering hundreds of passwords and type them quickly on our browsers. Password managers are even embedded in mobile OS and Web browsers. Yeah, Password managers are useful.

Phishing

It's 'easy' to be targeted, receive a fake site and carelessly input our password there, giving it to an attacker. There are sophisticated attacks that go unnoticed by most users.

What about making that fished password useless?

Or even better, how about removing the memory factor?

Password-less movement

There was some interest since 2015 or perhaps before, in slowly removing passwords and promoting alternatives to reduce the weakest link of trusting the memory of our users, and the possibility to be phished.

Going passwordless, we don't use a set of characters to authenticate, but something stronger by design.

One alternative is 'dynamic passwords'. A set of characters or bytes that somehow gives us access to an important system.

Magic links

I like this approach, I've used it for a few years now, and for some specific geek users work great. It's basically sending a long single-use password by a channel like your email or IM.

You can recover your password by email, therefore the security level is similar.

An important weakness is that pretty often email or SMS are not encrypted, and someone can get your secret.

And for most users, it's really inconvenient:

Don't build password-less login (by email)

Key pairs

When we connect to remote computers by SSH we often use a cryptographic keypair instead of passwords.

It has the advantage that the 'passphrase' exchange is extremely long. I don't want to go into details here, but it's many times better than a static password. More secure than a short password.

Public and private keys, the keypair, lives in your device, and it could be protected by (again) a password so if someone steals the file with the keypair, it couldn't be used to log in.

Also, with the controversial crypto-economy technologies, more users are storing a keypair in their browsers, their crypto wallet.

I think it's a useful placement for social login, like Google, Facebook, or Twitter, with fewer inconveniences, but the risk of being hacked if someone gets access to your computer.

They are trojans aiming for the wallet's private key to get the funds, but that's another conversation.

I think keypairs are going to become a viable standard for passwordless authentication soon.

FIDO2/WebAuthn/Passkeys

What is FIDO2 and how does it work?

FIDO2 as an open passwordless standard and Webauthn using it for web applications sound good in theory, although it's kind of harder to use than previous options.

It requires integration with hardware, and the software generators are not as secure. The implementation takes weeks, compared with having a simple password.

It uses a similar approach to keypairs, but instead of having a file with the private key in your computer, you have some hardware storing the private key.

Yeah, it's more secure but adds costs.

At the start, FIDO2 was being used as a 2FA, but most recently it has been promoted as a passwordless alternative with the passkeys.io standard. And promoted by Google, Apple, and Microsoft. Main operating system suppliers.

I think passkey would become mainstream soon, but that remains to be seen.

passkeys.com

What about a different way of thinking about passwords?

Password-authenticated key agreement (PAKE)

I didn't know this interesting method. It's a kind of hybrid between password and passwordless. Using a password manager to store the password locally, and a cryptographic exchange with the server, you don't need to send the password, but proof that you have the right password.

Maybe Passwords are the Future

I think currently PAKE has more disadvantages than FIDO2 and less support. It's a niche technology that could work well for some specific cases.

So, what's gonna happen?

I guess passwords are here to stay, but we can promote for some 'advanced' users the option to have at least MFA, and passwordless as the preferred alternative.

I'd suggest allowing your users to upgrade from having a password-first experience to some sort of passwordless login. It's going to take time for our users to get used to different behaviors, but I think it's convenient for all of us.

EOT

---

Cómo enviar una respuesta

Send me your comments to

text.eapl.mx.mebiu [at] slmail.me

or

My Microblogging