< Back to post list in text.eapl.mx

Promoting the use of dynamic passwords

Problems with static passwords

Short passwords are weak. Long passwords are stronger but inconvenient.

Indeed we are changing from passwords to passphrases, and instead or remembering simple 'passwords' of 6 or 8 characters, it's encouraged to use longer 'passphrases' of 16+ characters

Passwords are kind of inconvenient, but it's the way we've used to log in any online service for a lot of years.

There is MFA (Multiple-Factor Autentication) and 2FA (2nd Factor Authentication) which usually is a dynamic code or biometrical on top of the 1st Factor being your password.

1st Factor is 'Something you remember', and 2nd Factor is 'Something you have'.

Something you remember rely on a weak characteristic of humans. Memory.

So, we write them on paper, or create password managers to avoid managing a lot of passwords, and type them quickly. Password managers are now in mobile OS and Web browsers, since they are useful.

And also we have to take into consideration phishing. Using social engineering to trick the user to type/autocomplete the password in a dangerous place.

What if we remove the memorization factor?

Password-less movement

There was some interest since 2015 or perhaps before, on slowly removing passwords and teaching alternatives to reduce the weakest link of trusting the memory of our users, and possibility to be phised.

With password-less we don't use a single set of characters to authenticate, but something stronger by design. We could simplify calling it a dynamic password. A set of characters or bytes that somehow gives us access to an important system.

Magic links

I like this approach, I've used if for a few years now, and for some specific geek users it works great. It's basically transmitting a long single-use password on a 'secure' channel like the email.

Since you can recover any password by email, the security level is similar.

But yes, for most of the users it's really inconvenient:

Don't build password-less login (by email)

Key pairs

When we connect to Virtual Private Servers we often use a cryptographic keypair instead of passwords.

It has the advantage that the 'passphrase' exchange is extremely long. I don't want to enter into details here, but it's many times better than a static password. More entropy, more security than a short password.

The public and private keys (keypair) live in your device, and it could be protected by (again) a password so if someone steals the file with the keypair, couldn't be used.

Also, with the controversial cryptoeconomy technologies, more users are storing a keypair in their browsers, their crypto wallet.

I think it's a pretty good replacement to the social link, like Google, Facebook or Twitter, with less inconvenience, but the risk of being hacked.

They are trojans aiming for the wallet's private key to get the funds, but that's another conversation.

I think keypairs is going to become a viable standard for paswordless authentication soon.

FIDO2/WebAuthn

What is FIDO2 and how does it work?

FIDO2 as an open passwordless standards and Webauthn using it for the web applications sound good in theory, but it's kind of harder to use than previous options. Requieres hardware or software integrations, it's harder to implement on applications, and require support from browsers and the operating system.

It's uses a similar approach than keypairs, but instead of having a file with the private key in your computer, you have some hardware storing the private key. Yeah, it's more secure, but add a cost, and it's not replacing the password but being used as a 2nd authentication factor.

Sadly it's only convenient for some uses like Intranets, corporates and geeks bragging.

What about a different way of thinking on passwords?

Password-authenticated key agreement (PAKE)

I didn't know this way, and sounds interesting, a kind of hybrid between password and passwordless. Using a password manager to store the password locally, and use a cryptographic exchange, so the server doesn't store a representation of the password, but a proof that the users knows it.

Maybe Passwords are the Future

I think it has more disadvantages than FIDO2, it's a niche technology that could work well for some specific cases.

So, what's gonna happen?

I guess passwords are here to stay, but we can promote for some 'advanced' users the option to have at least MFA, and passwordless as an option.

I invite you to offer alternatives to your users and feel the security benefits and usability issues in first-hand.

EOT

---

Send me your feedback to

My Microblogging

or

text.eapl.mx.mebiu [at] slmail.me