Passwords. Either you love them, or you hate em. Just kidding – you hate them.
Since what was probably the dawn of time, we have considered passwords as the de-facto form of authentication in virtually ever application ever. Your social media account is password-protected. Your e-mail is password-protected. Your bank account is password-protected. It’s hard, if not completely impossible, to use the Internet without having to memorize multiple passwords (assuming you don’t share the same one across every single platform, from fun stuff to business stuff to naughty stuff, completely ignoring every password security advisory ever in the history of humankind).
Just about every implementation of password protection is accompanied by an advertisement of its biggest flaw – a "Forgot your Password?" button. That’s the thing about passwords – they are just short of impossible to remember.
To dissuade users from reusing their passwords, we have universally decided to impose strange rules upon them. Your password must be 17-56 characters long, must contain at least 5 special characters, and CANNOT match any of the other users’ combined past 73 passwords. By the time a suitable password is created, it’s been long forgotten.
So with all the extra fuss over passwords, are they even that secure? You guessed it. No, not really.
For a password to be secure, it needs to be:
- Difficult for a human to guess
- Difficult for a computer to guess
- Used only in one place
That last one is the real killer. Who in their right mind learns a different password for every single site out there? If a password is being used by the same person on sites A, B, C, D, and E, then a compromise of any of those sites could potentially lead to a compromise of all 5 websites.
So, what alternatives exist? How can we reliably authenticate users, without having to place our security into the hands of the universe?
One-time access codes show promise here. Instead of using a password at all, users can be sent a one-time code, which expires after a brief period of time. The simplest implementation of this would send the plaintext code to the user’s e-mail address, and store a hashed version in a database. Entering the correct code would result in a successful sign-in. The access code can also be locked to the user’s IP address, so that even if a remote hacker manages to get their hands on the code, it would be completely useless to them.
However, even this model has a serious flaw. Even though your site might not implement password authentication, it relies on another system that probably does: an e-mail provider. If the user’s e-mail is compromised, then access to your site becomes a virtual free-for-all.
A better option to rely on that e-mail is SMS. The passcodes on most people’s smartphones are extremely strict about locking out brute-force attempters, and also are usually not used in other places. To get past an IP-enforced one-time access code system, not only would an attacker have to steal your phone AND correctly guess your passcode without getting locked out after 10 tries, but they would also have to remain in the same area as you to evade the IP lock. As one can imagine, this scenario is considerably less likely than someone correctly guessing your e-mail password and using it to impersonate you across the Internet.
All hope is not lost, friends – we can escape the never-ending cycle of passwords and password resets. However, for it to be successful, all vendors who implement passwordless authentication systems must be cognizant of potential security holes, and avoid using weak algorithms to protect sensitive data.