Password isn't dying
Last year, there were news articles circulating on the internet claiming that big tech companies were joining forces to eliminate passwords. Some startups even declared that passwords were obsolete and outdated.
Introduction
Last year, there were news articles circulating on the internet claiming that big tech companies like Apple, Google, and Microsoft were joining forces to eliminate passwords. Some startups even declared that passwords were obsolete and outdated. After delving into the realm of identity management for months, I began to question the validity and practicality of these claims.
What does a password do?
At first glance, the answer seems obvious: passwords are used for signing in and verifying identities. However, I hold a different viewpoint if you consider the fact that passwords cannot truly verify who you are:
- When a user signs in to a website with an email and password, the website has no way of confirming the actual person behind those credentials. It could be a human or even a cat.
- Anyone can unlock an iPhone with the correct PIN.
In reality, the purpose of a password is to anonymously prove ownership of something: a user account, a device, or access to a door.
The current “password killers”
The companies mentioned earlier have proposed various "password killers." Many claim to be safer alternatives that eliminate the need for users to remember complex, static passwords during authentication. However, most of these alternatives are not entirely practical for completely removing passwords.
FIDO authentication
FIDO (Fast Identity Online) authentication, as explained in the official documentation, utilizes public key cryptography techniques for registration and sign-in (it's worth noting that WebAuthn is a core component of FIDO2 specifications). On the surface, the process appears appealing:
Simple, right? Unfortunately, there's a significant hurdle in the way: compatibility. When compared to the traditional combination of "identifier and password," FIDO authentication requires:
- Websites or apps to support FIDO.
- Browsers and/or operating systems to support FIDO.
- User devices to have a user-friendly verification mechanism.
Failure to meet any of these requirements renders FIDO authentication unavailable, forcing a fallback to other methods.
Moreover, even if all the conditions are met, what qualifies as a "user-friendly verification mechanism" on a device? Currently, it may involve biometric methods like fingerprint or face recognition, accompanied by a fallback option such as a PIN code, a.k.a. password. In the end, we're brought back to square one.
Technically, it's not a "password killer" but rather a more secure and user-friendly authentication or verification process protected by passwords.
One-time password
Even though the name includes the term “password”, one-time passwords (OTPs) are not traditional passwords because they are dynamic. There are two popular types of OTPs:
- Time-based One-Time Password (TOTP): Generated algorithmically using the current time as a source of uniqueness. It's commonly used in Multi-factor Authentication (MFA) or 2FA.
- SMS/Email One-Time Password: Generated on the server using random algorithms. In some countries, it has been widely adopted as a primary sign-in method.
TOTPs may not be as widely recognized by name. For example, when a website prompts you to set up MFA and use an app like Google Authenticator or Duo to scan a QR code, you're most likely using TOTP. You may have also noticed that the website often displays a long "recovery code" and advises you to save it as it will only be shown once. Some websites even encourage users to print it on paper. In essence, this recovery code functions like a long password.
As for SMS/Email OTPs, they can be expensive and unreliable:
- Building an SMS or email sender from scratch requires setup.
- Email senders need to establish a positive "reputation" to improve deliverability, otherwise, the sender may be flagged as spam.
- Each country has its own mobile network operators, leading to unpredictable delivery times and notable costs for sending SMS, especially for startups.
Biometrics
The term "biometric" refers to using only biometric methods for online authentication. In fact, there's a fundamental difference when compared to other methods: biometric authentication shifts the original task of "proving ownership of something" to "proving who you are." Due to privacy concerns, biometric methods are primarily employed for local authentication.
Password isn’t perfect, though
As we can see, "password killers" are essentially hiding passwords or using passwords as fallback options. Here's a summary of the advantages of passwords based on our discussion:
- Accessibility and compatibility: Passwords can be used in various systems and are accessible to a wide range of users.
- Cost-effectiveness and versatility: Password-based authentication are generally cost-effective than other methods and adaptable to different scenarios.
- Anonymity and privacy: Passwords allow for anonymous usage and protect user privacy.
But every coin has two sides. While passwords have their advantages, relying solely on them for authentication poses significant vulnerabilities. They can be challenging for end-users to manage, and if website owners fail to follow proper security practices, passwords become easy to compromise. Dangerous security practices include, but are not limited to:
- Allowing for weak or leaked passwords.
- Lack of enforcing HTTPS for connections.
- Use of insecure hashing algorithms.
- Failure to adhere strictly to battle-tested standards like OAuth or OpenID Connect (OIDC).
- Exposing the database to the public.
Conclusion
I do not intend to undermine any of the authentication methods mentioned above. On the contrary, as I work on building Logto, I have developed a deep respect for these remarkable authentication methods and the individuals behind them.
Nevertheless, achieving 100% security is an unattainable goal. What we can strive for is to reduce the possibility of attacks. One effective approach is to combine password-based authentication with one-time passwords based on the current device or environment, which adds an extra layer of verification and has been widely adopted. By leveraging the strengths of different authentication techniques, we can create a layered approach that provides stronger protection.
In closing, rather than focusing on buzzwords like "password killer" when passwords are not truly being eliminated, it would be more valuable to concentrate on striking a balance between security and user experience. This entails understanding the strengths and limitations of various authentication methods and implementing them in a way that ensures both the security of user data and a seamless user experience.