You shall not Password!
You shall not Password!
By Mark van der Linden
7 min read
Isn't it weird that we have to come up with a phrase and share it with a server to protect our account?
- Authors
- Name
- Mark van der Linden
- linkedinMark van der Linden
Keeping dozens of accounts safe from all kinds of websites and services has become too difficult. All these accounts require a password which needs to be more complex by the day. You start using a password manager because you can't remember all of them or worse, use the same password everywhere. All these passwords end up in databases and if you are unlucky, on leaked password lists online. The question we should ask ourselves is: why do we still entrust the key to our account to some third party? Is there a way to protect our accounts without having to share our secret?
SMS, email & apps
The simplest form of authenticating a user without a password is by including a separate system that the user can access. Once the user provides their username during the login flow, an email or SMS is sent with a one-time code that they must provide to successfully log in.
A similar option is to generate a so-called magic link and deliver it in the form of an email to the user. You click on the link within the email and are immediately logged into the platform.
There could also be the option for the user to install the mobile application of the service to their phone and act as an authenticator by receiving a push notification while performing the login.
These options seem straightforward but do have some side effects. They require the user to provide additional personal details like a phone number or install an additional app on their phone. Magic link emails can turn up in spam folders and the email service is probably also protected with a password, so aren’t we just delegating the issue towards another service?
The biggest problem however is that these mechanisms aren’t part of any standardized protocol. This results in multiple variants of the implementation and thus reinventing the wheel every time with the consequence of creating security issues. This also doesn’t incentivize identity providers to support these functionalities out of the box.
Web Authentication
The FIDO Alliance is an association that has a clear goal: creating standards that help reduce the over-reliance the world has on passwords. With that in mind, the alliance created the FIDO protocol. This protocol allows users to authenticate with a FIDO-complaint device such as physical security keys. Yubikeys are a popular example of such devices. These keys could for example connect to your laptop via USB and allow for a passwordless login to your Windows account. Together with the W3C they have taken it a step further and introduced the FIDO2 protocol. This protocol consists of the Web Authentication (WebAuthn) specification and Client to Authenticator Protocol (CTAP).
WebAuthn provides an API for the browser to communicate with two types of authenticators:
Platform authenticators leverage the capabilities of the device itself and provide a way for the user to safely prove their identity. This mostly comes down to biometrics like fingerprint or face recognition.
Roaming authenticators consists of physical hardware that is in the possession of the user. These can communicate with the device via Bluetooth, NFC, or USB.
Having multiple options allows for flexibility for the user but also allows for broader support of different kinds of devices. For instance, not all devices support biometrics but might have Bluetooth or a USB port to use a physical security key. A list of platform and browser combinations with both platform and roaming authenticators can be found on the following website.
With the help of Google, Mozilla, Microsoft and Apple, the specification has become supported in all modern browsers which makes this method of authentication broadly available due to almost every device running a browser these days. On top of that, WebAuthn is based on public key cryptography. For every account on a website or service, a keypair is created. The private key stays on the device, and the public key is shared with the third party. This eliminates sharing our secret! During the creation of the keypair, the domain of the website is also part of the parameters. This is a very important parameter because it binds the key to a specific domain which makes phishing attacks impossible.
Registration and Authentication
For a user to start using their authenticator for authentication, registration must first take place. The server sends a challenge that the client must send back in a signed format, to mitigate replay attacks. Once the challenge is received, the user is prompted to choose an authenticator. This prompt is triggered by calling the designated method in the WebAuthn API. This API directly communicates with the browser to determine the available authenticators. Once an authenticator is chosen and the necessary steps have been taken by the user, like a biometric check, a keypair is created. The private key is stored on the user’s device and is used to sign the challenge. The public key and signed challenge are sent to the server. The server validates the request and is responsible for storing the public key with the user’s account.
Once the user has registered and starts the authentication process to log in, the server once again starts with the challenge. The WebAuthn API is invoked again by the browser, the user performs the biometric check once again and the challenge is signed with the private key on the device. The challenge is sent to the server and is validated with the stored public key of the user.
Benefits and challenges
Implementing WebAuthn has multiple advantages over passwords in terms of security. For one, the user can’t decide to re-use a password or use one that might have been leaked online. More importantly, the server will never have any kind of credential stored except for the public key. This means that if the database is ever exposed, it would only reveal that public key which is of no use to anyone. The attacker will have to go after the user’s key by accessing the device of that user instead of a server with the passwords of all users. This makes it less interesting for a malicious party. In addition, while creating the key pair, it's linked to a specific domain which makes it impossible for phishing practices.
Another benefit is that WebAuthn is a standardized protocol. With that, identity providers have already started supporting passwordless out of the box. Developers can configure this feature in identity providers like Auth0, Okta or Keycloak without having to write a single line of code. Standardization also brings SDKs which makes it that much easier for developers to implement the protocol if they don’t use an identity provider product.
There are however some things to consider when providing this functionality to your users. Like any other authentication options that revolve around another piece of hardware, like OTP, there is the matter of losing your device. For that, you could fall back on the email address of the user to start registration of a new authenticator or make sure a user registers multiple authenticators.
Way forward
Even though there is wide support for Web Authentication, it's not supported by all devices and some users still value the importance of a password. This will take time and means we can’t get rid of passwords together (yet!). However, this shouldn’t stop developers from giving the user the choice of enabling it. You can also provide it as an option for a 2nd-factor authentication. The user can still register with a password but with the added protection of the 2nd factor. This way the user gets to experience how easy the flow is and might think twice next time they have to provide a password for yet another account. To get started with Web Authentication go have a look at the WebAuthentication Guide.
Upcoming events
Coven of Wisdom - Herentals - Winter `24 edition
Worstelen jij en je team met automated testing en performance? Kom naar onze meetup waar ervaren sprekers hun inzichten en ervaringen delen over het bouwen van robuuste en efficiënte applicaties. Schrijf je in voor een avond vol kennis, heerlijk eten en een mix van creativiteit en technologie! 🚀 18:00 – 🚪 Deuren open 18:15 – 🍕 Food & drinks 19:00 – 📢 Talk 1 20:00 – 🍹 Kleine pauze 20:15 – 📢 Talk 2 21:00 – 🙋♀️ Drinks 22:00 – 🍻 Tot de volgende keer? Tijdens deze meetup gaan we dieper in op automated testing en performance. Onze sprekers delen heel wat praktische inzichten en ervaringen. Ze vertellen je hoe je effectieve geautomatiseerde tests kunt schrijven en onderhouden, en hoe je de prestaties van je applicatie kunt optimaliseren. Houd onze updates in de gaten voor meer informatie over de sprekers en hun specifieke onderwerpen. Over iO Wij zijn iO: een groeiend team van experts die end-to-end-diensten aanbieden voor communicatie en digitale transformatie. We denken groot en werken lokaal. Aan strategie, creatie, content, marketing en technologie. In nauwe samenwerking met onze klanten om hun merken te versterken, hun digitale systemen te verbeteren en hun toekomstbestendige groei veilig te stellen. We helpen klanten niet alleen hun zakelijke doelen te bereiken. Samen verkennen en benutten we de eindeloze mogelijkheden die markten in constante verandering bieden. De springplank voor die visie is talent. Onze campus is onze broedplaats voor innovatie, die een omgeving creëert die talent de ruimte en stimulans geeft die het nodig heeft om te ontkiemen, te ontwikkelen en te floreren. Want werken aan de infinite opportunities van morgen, dat doen we vandaag.
| Coven of Wisdom Herentals
Go to page for Coven of Wisdom - Herentals - Winter `24 editionMastering Event-Driven Design
PLEASE RSVP SO THAT WE KNOW HOW MUCH FOOD WE WILL NEED Are you and your team struggling with event-driven microservices? Join us for a meetup with Mehmet Akif Tütüncü, a senior software engineer, who has given multiple great talks so far and Allard Buijze founder of CTO and founder of AxonIQ, who built the fundaments of the Axon Framework. RSVP for an evening of learning, delicious food, and the fusion of creativity and tech! 🚀 18:00 – 🚪 Doors open to the public 18:15 – 🍕 Let’s eat 19:00 – 📢 Getting Your Axe On Event Sourcing with Axon Framework 20:00 – 🍹 Small break 20:15 – 📢 Event-Driven Microservices - Beyond the Fairy Tale 21:00 – 🙋♀️ drinks 22:00 – 🍻 See you next time? Details: Getting Your Axe On - Event Sourcing with Axon Framework In this presentation, we will explore the basics of event-driven architecture using Axon Framework. We'll start by explaining key concepts such as Event Sourcing and Command Query Responsibility Segregation (CQRS), and how they can improve the scalability and maintainability of modern applications. You will learn what Axon Framework is, how it simplifies implementing these patterns, and see hands-on examples of setting up a project with Axon Framework and Spring Boot. Whether you are new to these concepts or looking to understand them more, this session will provide practical insights and tools to help you build resilient and efficient applications. Event-Driven Microservices - Beyond the Fairy Tale Our applications need to be faster, better, bigger, smarter, and more enjoyable to meet our demanding end-users needs. In recent years, the way we build, run, and operate our software has changed significantly. We use scalable platforms to deploy and manage our applications. Instead of big monolithic deployment applications, we now deploy small, functionally consistent components as microservices. Problem. Solved. Right? Unfortunately, for most of us, microservices, and especially their event-driven variants, do not deliver on the beautiful, fairy-tale-like promises that surround them.In this session, Allard will share a different take on microservices. We will see that not much has changed in how we build software, which is why so many “microservices projects” fail nowadays. What lessons can we learn from concepts like DDD, CQRS, and Event Sourcing to help manage the complexity of our systems? He will also show how message-driven communication allows us to focus on finding the boundaries of functionally cohesive components, which we can evolve into microservices should the need arise.
| Coven of Wisdom - Utrecht
Go to page for Mastering Event-Driven DesignThe Leadership Meetup
PLEASE RSVP SO THAT WE KNOW HOW MUCH FOOD WE WILL NEED What distinguishes a software developer from a software team lead? As a team leader, you are responsible for people, their performance, and motivation. Your output is the output of your team. Whether you are a front-end or back-end developer, or any other discipline that wants to grow into the role of a tech lead, RSVP for an evening of learning, delicious food, and the fusion of leadership and tech! 🚀 18:00 – 🚪 Doors open to the public 18:15 – 🍕 Let’s eat 19:00 – 📢 First round of Talks 19:45 – 🍹 Small break 20:00 – 📢 Second round of Talks 20:45 – 🙋♀️ drinks 21:00 – 🍻 See you next time? First Round of Talks: Pixel Perfect and Perfectly Insane: About That Time My Brain Just Switched Off Remy Parzinski, Design System Lead at Logius Learn from Remy how you can care for yourself because we all need to. Second Round of Talks: Becoming a LeadDev at your client; How to Fail at Large (or How to Do Slightly Better) Arno Koehler Engineering Manager @ iO What are the things that will help you become a lead engineer? Building Team Culture (Tales of trust and positivity) Michel Blankenstein Engineering Manager @ iO & Head of Technology @ Zorggenoot How do you create a culture at your company or team? RSVP now to secure your spot, and let's explore the fascinating world of design systems together!
| Coven of Wisdom - Amsterdam
Go to page for The Leadership Meetup