Every now and then, articles appear claiming that someone has invented the process of passwordless login. However if we go through the articles, we completely lose our interest to try them, as in most cases the solution behind the idea needs deep understanding of the IT world (we usually have to deal with command-line key-generator programs) or we need to buy a security hardware device (e.g. one-time password generator devices). Right now, we will dream big and investigate the topic. I truly believe that the time of passwordless login may come hand in hand with 2FA.
In the introduction we already mentioned some phases that worth investigating. Let’s start with the problem itself: why do we need a password? Inventing the idea of password goes back to Fernando J. Corbató, who has passed away 12 July 2019, at the age of 93. He was searching for the solution to protect user accounts from illegitimate intruders. Hopefully, everybody is well aware of the importance of passwords. For instance, people keep their Facebook password in secret, right? In a nutshell, passwords serve to identify users, so the program can make sure that the person trying to log in is the right one. There are several programs managing passwords, though they don’t even worth mentioning, as they only help users not to forget the passwords. With their help, we can store and manage passwords for different websites and their related services, and we only need to remember a master login to reach all stored passwords. I must confess that I always forget the master password, as I come up with too safe ideas… 😊. So, I miss out the main benefit. For this reason, these password managing applications do not provide a real solution for our needs (passwordless login).
So, how can passwords be replaced? The solution has been around for a long-long time. Okay, maybe for not so long. In 1977, the RSA (Rivest–Shamir–Adleman) cryptographic algorithm was created, which resulted in the first asymmetric (public-private) key encryption that reached wide layers of society. Moreover, it laid down the base for digital signatures, digital authentication and fundamental parts of blockchains. But how does it help us to replace a password? To completely understand, we need to understand the basics of public-private key encryption. I promise it won’t be too technical, no matter how tempted I feel to start talking about different mathematical theorems. So, for everyone’s benefit, today neither we are going to talk about Fermat’s Theorem, nor about elliptic-curves.
So, the concept of operation is that everybody is given two keys (later I will explain what a key really means, but basically it’s the result of a mathematical algorithm, in reality these are numbers). One key is confidential and only known by the client. The other one is public, known by everyone. The two keys have a connection that provides the secrecy of the private key, so it cannot be revealed with the help of the public one. However, with the private key we can easily calculate the public one. Oh yes, another important feature: if we use both keys for the same data, we get back the original data.
Let’s see an example. If we see these data as a door, then with one key we can turn the lock to the right, and to the left with the other. The door opens if we turn the keys equally to both directions. Why is it important? Because it means that if someone closes a message with my own public key and sends it to me, only I am capable of opening it. It doesn’t matter if someone copied the encrypted message during the process, because the only person that knows the private key is me (this method is basically called encrypting). Besides, if I “encrypt” a message with my own private key and then publish it, then people will be able to open it with my public key (this is the concept of digital signatures). In this case, there is an assurance that I was the person who wrote the original message, as the message can be read with only the help of my public key. We may have a question here: how do other people know my public key? The answer is: public keystores. There are plenty of these and we use them on a daily basis without acknowledging it. Every time, when the little lock icon appears next to a website address, the browser turns to a public keystore to check whether the website we are looking at comes from a trusted source or not. In case of e-banking services, this is a good way to make sure we are on the website of the particular bank and not getting tricked.
So, how can we replace a password with public-private key pair? So simple: we add our public key to our user account and save the private one somewhere else. When we log in, we digitally sign a data with our private key and hand it over to the website (note: let’s not focus on this low-key phrasing now, the aim here is to have better understanding). We could say, that it’s not a real passwordless solution, as we have to remember something even more difficult than a simple password. But we have to realize that our private key did not leave our computer. Besides, with special devices we do not have to remember our private keys and we have a safe place to store them. These devices store our private keys directly on themselves. Even though a private key, identification, log in or encrypting is necessary for the process of digital signature, key-data does not leave the device. This means, that our key-data does not even enter our computer. Creating a digital signature or encrypting happens on that specific device. So, these devices almost work like micro-computers. In most cases they are connected to the computers with USB and users will need a special program to use them. Huge amount of energy investment is needed to make these compatible with any computer or telephone. Mostly, existing devices on the market cannot provide full assistance to different phones, computers and operating systems.
The solution we are currently developing at BlockBen can be breakthrough on this field, which is in line with the regulations and safety requirements created by 2FA (a.k.a. SCA) and the European Union. By the way, what are 2FA and SCA? 2FA stands for two-factor authentication and SCA is the abbreviation of “Strong Customer Authentication”. Among the Eu’s PSD2 requirements lies a regulation for enhanced security, which means that beside the password, a second layer of authentication is also necessary to execute a transaction. This process is called “Strong Customer Authentication” and it actually describes the 2FA solution. The main point of 2FA solution is that a transaction is only considered credible when both a device owned by the customer and a specific information known only by the customer take part in the identification process.
Let’s imagine the situation where our phone is a device where we can store our digital private key which is generated by the app, and we do not have to do witchcraft to create these keys. From here, it would be only a little step to enter the world of password-free living. On our websites, we will be able to login by scanning an individual QR code. What a future! No need of remembering passwords, and no need of having an IT degree! My private key will be on my mobile, protected by a safe pin and/or fingerprint. With this solution, financial transactions cannot be carried out without me and my phone. What is it, if not the next step towards higher security, while making our life easier?
Note: regulations, processes and technologies appeared in the article are simplified in order to understand them better and easier. 😊