Going Passwordless

July 28, 2022

written by:

Passwords are a hassle... they get guessed or stolen. Humans tend to reuse passwords which -on top of that- are often enough not secure. Secure, in this case, means complex enough so they cannot be easily guessed. However, complex passwords, are usually not easy to remember and one has to remember so and so many passwords, already. There are password managers, but they do not really solve the issue. They merely provide tool-support for managing the ever growing number of passwords and issue warnings if the user is reusing a password all to fondly. There is an alternative, which is convenient for users and very secure. In this blog article, we are describing how we got password-less.

flavor wheel

How does password-less authentication look like?

How does it look like using passwordless authentication?


About WebAuthn

The standard, which allows this to work is: WebAuthn. It requires three key-ingredients to work:

  1. Authenticator
  2. Client
  3. Relying Party

In the following, those three will be explained very briefly.

Authenticator

WebAuthn requires the Authenticator for, well... authentication.

They come in different forms, the most known examples are USB tokens like Yubikeys, Nitroykeys, ...

Yubikey

If you are using a modern smartphone or computer which has a built-in fingerprint reader, chances are, you can use them. For example Google and Apple smartphones (touch-id and face-id) can be used as well as Apple MacBooks (fingerprint).

Client

Next, WebAuthn requires a Client which is able to communicate with the Authenticator.

For web-based applications, this requirement is rather easy to fullfil: Today relevant Browsers (e.g. Firefox, Chrome, Safari, Edge, Opera) support the WebAuthn standard.

Relying Party

They Relying Party is the party which performs the authentication of the user.

If you authenticate against a single application, that application is the Relying Party. However, if you employ centralized authentication, like e.g. OpenId Connect, your authorization server is the Relying Party.

KeyCloak is one of the more widely used authorization servers and it, too, supports WebAuthn password-less. For custom applications there are libraries which help integrating the standard (see "Using WebAuthn": webauthn.io).

How does it work? (Simplified)

For the technical details, please check webauthn.guide. They present plenty of details on how everything works.

The Authenticator holds a private-public-key pair (Wiki: Public-Key-Cryptography). Important in this regard is, that the private-key cannot leave the Authenticator. Also, The public-key can be distributed freely, without compromising the private-key.

An Authenticator first needs to be registered to the Relying Party. In this process, the Relying Party, asks for a public-key of the Authenticator, which it then stores for later use.

During the authentication process, the relying party sends "random" data to the client, asking it to be signed with the private-key of the Authenticator. The signature is sent back to the Relying Party which uses the stored public-key of the Authenticator to verify the signature. If the signature is valid, authentication was successful. (compare to, Wiki: Challenge–response authentication)

This is a much simplified description, in reality, more information (e.g. about the client) is mixed in the registration and authentication process.

Closing Remarks and Things to Keep in Mind

Using a WebAuthn Authenticator makes life easy and much more secure. The private-key material in the Authenticator, which is used for authentication, cannot be copied or guessed. In order to use it, access to the physical device is required. Thus, attacking user-accounts is not as "comfortable" as in the password case, where an attacker does not even need to get close to you. Simply guessing your password, or tricking you into revealing it does not work anymore.

However, Authenticators can be stolen, and Laptops, Smartphones and USB tokens get stolen regularly. In the case of biometric Authenticators they should be safe still.

In the case of USB tokens, however, it makes sense to enable password protection. Be aware that this password protects access to your Authenticator. Entering a wrong password too often, will lock the Authenticator and thus rendering it useless for an attacker (though, there are PIN / PUK schemes for recovery). This password cannot be attacked remotely but an attacker needs physical access to your Authenticator.

In the end you still need to remember a password. The Authenticator, however, can be registered to many, many accounts without loosing or weakening the level of security. Instead, the level of security will be increased for all of those accounts.

If you loose an Authenticator, you need to be able to recover your accounts. For these cases it makes sense, to have backup devices. Especially, if you truly want to get rid of passwords. And why keep them, right? So once a device has gone missing, you have log into your accounts with your backup device and remove the gone-missing device.

Unfortunately, not all services all to register more than one Authenticator or to once-and-for-all delete a password.

TL;DR

You can use your iPhones and MacBooks fingerprint reader as an Authenticator (and thereby effectively eliminate the need for a password), to log into web applications using common, modern browsers. If those applications use a centralized authorization method like OpenID Connect with KeyCloak as authorization server, you need to enable WebAuthn, only.

However, be aware that Authenticators can be stolen. Without additional protection, just like keys, they may allow attackers access to your accounts. So if you are not using biometric Authenticators, enable an additional password protection. Delete your passwords and use multiple Authenticators for recovery, if one device goes missing.

If you want to test your device, try it here: webauthn.io.

Yubikey