How could passwordless Internet work

Fingerprints of over 5.6 Million Americans Stolen During the OPM Hack

Microsoft has recently announced that its nearly 800 million users of services such as Outlook, Office or Skype now have the option to login to these platforms without using a password, as reported by specialists in digital forensics from the International Institute of Cyber Security.

The announcement is part of the plans of various companies to migrate to the use of the passwordless Internet through the implementation of WebAuthn, the key technology to complete this transition. According to cybersecurity and digital forensics specialists, the implementation of this technology involves the use of biometrics (such as facial or fingerprints recognition) or other authentication methods rather than continuing to use the username/password system.

Although this is a relevant measure for Internet users’ security, it is still necessary to go through a long implementation process, in which users will have to be persuaded to adopt new forms of authentication for access to the various digital platforms. The use of the password is relatively simple for any Internet user, so this method has prevailed as the most used. On the other hand, passwordless authentication works differently, it can be complicated to understand and involves the need to learn new acronyms or concepts, such as FIDO2, WebAuthn, or CTAP, so specialists in digital forensics will try to explain in a general way how passwordless authentication works.

Passwordless logins

When someone uses a website, the most common way to register is by choosing a username and password. Once the user shares this data with the website, any kind of control is lost on what the site does with their key words; users just can trust that the website will store and process that information in a secure way. Based on the number of data security incidents recently occurred, we can deduce that this expectation is not always fulfilled.

According to experts in digital forensics, with passwordless authentication, users will no longer depend on the website storing their information correctly. This is because public-key cryptography is used, which authenticates the user using two cryptographic keys: a private key, which is secret, and a public one.

The user saves their secret key, and grants the public key to the website when gets registered. Because this key will be public, users should not be concerned that their confidential information is compromised in case of a data breach. The public key can only unlock things that were locked using the corresponding private key.

On the other hand, the user authenticates using their private key to encrypt a ‘challenge’ (a very large randomly selected number) sent by the website and then will make the site decrypt it with the public key. If the encryption/decryption sequence works and the web server recovers the user’s challenge, the passwordless authentication process is completed.

For this to work properly, the user will need an ‘authenticator’, a key manager and a set of rules that will allow their computer, their browser, and the websites the user visits, to collaborate to complete the process.

WebAuthn

WebAuthn is an API that websites and browsers can use to enable authentication by using public key cryptography instead of passwords. The main browsers already manage WebAuthn; the next step is for websites to invest to implement this code change.

Instead of requesting that the user enter their username/password, websites can perform authentication using the JavaScript code embedded on their web pages.

The code uses the WebAuthn API to request browsers to generate credentials when the user registers in a website, or to get the login credentials.

Although the JavaScript code is downloaded with the webpage and runs on the user’s machine, in their browser, it is still considered part of the website, so you cannot rely on access to your private key or any other secret.

Authenticators

By default, websites do not pay attention to the way the user generates or manages their private keys, so they can use the most convenient method for each individual. Users can adopt the authentication included in their operating system, such as Windows Hello, Microsoft’s face recognition, or a remote authenticator, a smartphone, for example.

Putting all the pieces together

A possible scenario is that the user wants to authenticate using their fingerprints. When logging into a website, the code on the login page uses the WebAuthn API to ask the browser to sign a ‘challenge’ using the private key. The browser passes the challenge to the authenticator, and the authenticator asks the user to sign the challenge, what the user does by putting their finger on the fingerprint scanner.

The authenticator verifies the user’s fingerprint, signs the challenge and forwards it to the browser, returning it to the client-side JavaScript code, which eventually returns it to the website server, completing the process.

Explained in this way it may seem complex, but the user’s required interaction is minimal, as considered by digital forensics specialists.