The question of whether a password is “weak” or “strong” is not the issue. Because every authentication via password is easily vulnerable. But the responsibility does not lie on the user: The entire IT industry slept through the topic for years.
Phishing, malware, social engineering and leaked password databases: Hardly any cyber criminal still bothers to “try out” passwords, especially since there are much more efficient strategies for gaining access to third-party accounts. Users are powerless against the theft of their passwords from databases, even if they are smart and attentive enough not to fall for fake emails or to prevent malware from being installed on their device.
And even if maximum protection is guaranteed at the technical level, there is still the "human" security risk: How can you really prevent an unsuspecting employee from being fooled by a supposed "network administrator" of the company? If this person on the phone credibly pretends to act on “instructions from the boss” and to deal with an “urgent emergency”, passwords and other sensitive access data can quickly fall into the wrong hands.
While a few years ago many phishing attacks could still easily be identified by incorrect spelling or bad design, phishing attacks have now increased not only in terms of quantity but also in quality: As the BSI reports, attackers have just recently benefitted from the insecurities triggered by the Covid-19 pandemic: Well-formulated fake pages that look deceptively real in appearance, not only from bank branches, but also from alleged state offers such as short-time work benefit applications or Corona emergency aid are particularly frightening.
Of course there are different qualities of passwords. But: The more complex a password becomes, the more impossible it becomes for users to remember this password. Consequently, he develops auxiliary constructions, such as a password list, which in turn can then be easily attacked. Another experience from real life: With a "strong password", which was stuck under the keyboard in the doctor's room, at the beginning of the year, even as a layperson, I might easily have gained access to all of the hospital's patient files... A better solution is the currently much vaunted “password manager”. However, since it is also based on the “password” authentication method, it is ultimately only a crutch, especially since it cures symptoms instead of the cause and also brings problems both with security and usability.
Innovation drivers are sometimes the protagonists of the modern world, while at the same time they look down disparagingly at the PEBCAK (problem exists between chair and keyboard). Despite some really ingenious developments in IT, authentication processes have long been neglected, with the result that the security level of a bicycle lock with a numeric code is hardly exceeded to this day. The good news:
On the basis of asymmetrical procedures with public-private-key cryptography and single sign-on, FIDO-2 / WebAuthn is a technology that combines the highest level of security with practicality and user-friendliness!
The basis for higher security is multi-factor authentication. It offers an important approach to improving the antiquated identity-proof with username and password. In this process, at least two of three fundamentally different factors are combined to secure a registration:
e.g. password or PIN
e.g. security token or integrated crypto chip
e.g. fingerprint or face recognition
As both the user and a "remote station" must have the code (PIN, password, fingerprint) with classic authentication methods, there are two weak points (user and website operator). In asymmetric cryptography, a public key ("public key") and a private key ("private key") complement each other to form a pair of two different keys that can only open access when they work together.
This principle is the basis for authentication procedures that are used, for example, for "Single Sign-On" or "FIDO-2" and WebAuthn.
The basic idea of single sign-on (SSO) is the authentication of a user via a central service. After the one-time registration on such a platform, this in turn opens up access to other platforms. Providers such as Google, Facebook and Twitter already offer this service. The advantage: Instead of having to remember a separate password for each login, the user can log in to a wide variety of services with a single, secure (!) Password. Disadvantage: The basic password dilemma remains. If the central access is hacked, all downstream accesses are open to attackers. The process is only more secure if a second factor is used for authentication.
In the "FIDO alliance" ("Fast Identity Online"), manufacturers of operating systems (Apple, Google, Microsoft), numerous commercial providers (e.g. Amazon, Master-Card or PayPal) and, last but not least, the German Federal Office for Information Technology (BSI) merged to increase the security standard on the web. WebAuthn is an official standard of the W3C, which is already supported by all relevant browsers and operating systems.
In addition, most modern end devices have a built-in crypto chip that enables authentication via the WebAuthn standard. The principle: On the one hand, the chip generates a private key that remains secret and, on the other hand, a public key that is sent to the service. When you log in later, you only need the user name and the device with which you registered: The server sends a control query to the device, which answers it correctly with the help of the private key. The WebAuthn programming interface is the basis for this process. In addition, it is also possible to log into a WebAuthn-enabled service with a separate crypto chip (e.g. security token) regardless of the end device (PC, smartphone).
By the way, on the webauthn.io website you can test directly whether your device or browser already supports WebAuthn!
For the security risks and serious material damage caused by authentication with passwords, an IT industry that has shown far too little interest in the use of alternatives is largely responsible. In short: the technology for a significant increase in IT security is there - and there is no reason not to use it. It is our duty as web developers to offer our customers secure, simple and user-oriented solutions. In this way we can (and must!) do our part to ensure that users and website operators have the chance to navigate the web with considerably less risk in the future!
"If I lose the security token, all access options are gone!", "A secure and at the same time conveniently practicable authentication method for the user? That's impossible!"
What do you think? Message me!