July 28, 2022 •
Passwords are a hassle... they get guessed or stolen. Humans tend to reuse passwords which, on top of that, often lack security. Secure in this case means complex enough to not be easily guessed. However, complex passwords are usually hard to remember. Also, one has to remember numerous passwords already. There are password managers, but they do not really solve the issue. They merely provide tool-support for managing the ever growing number of passwords and issue warnings if the user is reusing a password all too fondly. There is an alternative, which is convenient for users and very secure. In this blog article, we will describe how we became passwordless.
How does it look like using passwordless authentication?
The standard, which allows this to work is: WebAuthn. It requires three key-ingredients:
In the following, these three will be explained very briefly.
WebAuthn requires the Authenticator for, well... authentication.
Authenticators come in different forms, the most known examples are USB tokens like Yubikeys, Nitroykeys, ...
If you are using a modern smartphone or computer which has a built-in fingerprint reader, chances are you can use them. Google and Apple smartphones for example (touch-id and face-id) can be used as well as Apple MacBooks (fingerprint).
Next, WebAuthn requires a Client which is able to communicate with the Authenticator.
For web-based applications, this requirement is rather easy to fulfill: common browsers (e.g. Firefox, Chrome, Safari, Edge, Opera) support the WebAuthn standard.
They Relying Party is the party which performs the authentication of the user.
If you authenticate against a single application, that application is the Relying Party. However, if you employ centralized authentication, like e.g. OpenId Connect, your authorization server is the Relying Party.
KeyCloak is one of the more widely used authorization servers and it, too, supports WebAuthn password-less. For custom applications, there are libraries which help integrate the standard (see "Using WebAuthn": [webauthn.io] (https://webauthn.io)).
For the technical details, please check webauthn.guide. They present plenty of details on how everything works.
The Authenticator holds a private-public-key pair (Wiki: Public-Key-Cryptography). Important in this regard is that the private-key cannot leave the Authenticator. Also, the public-key can be distributed freely, without compromising the private-key.
An Authenticator first needs to be registered to the Relying Party. In this process, the Relying Party asks for a public-key of the Authenticator, which it then stores for later use.
During the authentication process, the Relying Party sends "random" data to the client, asking it to be signed with the private-key of the Authenticator. The signature is sent back to the Relying Party, which uses the stored public-key of the Authenticator to verify the signature. If the signature is valid, authentication was successful. (compare to, Wiki: Challenge–response authentication)
This is a highly simplified description; in reality, more information (e.g. about the client) is mixed in the registration and authentication process.
Using a WebAuthn Authenticator makes life easy and much more secure. The private-key material in the Authenticator, which is used for authentication, cannot be copied or guessed. In order to use it, access to the physical device is required. Thus, attacking user-accounts is not as "comfortable" as in the password case, where an attacker does not even need to get close to you. Simply guessing your password, or tricking you into revealing it does not work anymore.
However, Authenticators can be stolen, and Laptops, Smartphones and USB tokens get stolen regularly. In the case of biometric Authenticators, they should be safe nevertheless.
In the case of USB tokens, however, it makes sense to enable password protection. Be aware that this password protects access to your Authenticator. Entering an incorrect password too often will lock the Authenticator and thus render it useless for an attacker (though, there are PIN / PUK schemes for recovery). This password cannot be attacked remotely, but an attacker will need physical access to your Authenticator.
In the end, you still need to remember a password. The Authenticator, however, can be registered to many, many accounts without losing or weakening the level of security. Instead, the level of security will be increased for all of those accounts.
If you lose an Authenticator, you need to be able to recover your accounts. For these cases, it makes sense to have backup devices - especially, if you truly want to get rid of passwords. And why keep them, right? So once a device has gone missing, you have log into your accounts with your backup device and remove the gone-missing device.
Unfortunately, not all services allow registering more than one Authenticator or once-and-for-all deleting a password.
You can use your iPhone's and MacBook's fingerprint reader as an Authenticator (and thereby effectively eliminate the need for a password) to log into web applications using common, modern browsers. If those applications use a centralized authorization method like OpenID Connect with KeyCloak as authorization server, you need to enable WebAuthn only.
However, be aware that Authenticators can be stolen. Without additional protection, they - just like keys - may allow attackers access to your accounts. So if you are not using biometric Authenticators, do enable additional password protection. Delete your passwords and use multiple Authenticators for recovery, if one device goes missing.
If you want to test your device, try it here: webauthn.io.