DEV Community

loading...

The Password Struggle

cristinaruth profile image Cristina Ruth ・2 min read

Today's digital world has accounts everywhere. That means logins and passwords.

But systems get hacked, hackers get our login info and our accounts get compromised. And now, we got a problem.

Problem

So some solutions then pop up.

Yay

Like Multi-Factor Authentication. So then, if someone gets a hold of your password, if you have this setup, you can stay safe. Er. Safe-er. If someone gets ahold of your "factor" (which is less likely), then you're in trouble again.

Or, the bajillion ways multiple websites require you to have various different letter, symbol, capitalized and lower-case letters to ensure a more secure password.

Or, the bajillion systems who require you to change your password every x days.

Or, the push for you to use different passwords for every single thing.

Which causes yet another issue because then, we have so many passwords, and we can't fit it all in our brain, so then we forget and we reset our passwords, and we have yet to remember another one. Which we will likely forget again anyway.

So now, we got the problem of too many passwords, so we get password management solutions to remember our passwords for us.

AHHHHHH

I mean, login with x platform makes things better and easier, but not all systems support it, and it usually also means my data is shared.

All of these solutions and problems seem to go back to one thing: passwords.

Aha

So. Is there any password-alternative out there to be able to have access to an account? There has to be some other thing? I tried a quick google and couldn't find anything.

Do you know of any alternative solutions? Please save us from this password struggle that has overrun our digital experience today! 😭

Discussion

pic
Editor guide
Collapse
bradtaniguchi profile image
Brad

I believe multi-factor is pretty good if done securely. So sorry sms verifications aren't that secure.

If you have a titan security key, or something like the authentication app on your phone and a password, you have 2 factors to your authentication and are pretty secure. Google basically eliminated phishing attacks due to using company wide security keys. (ref)

I personally don't believe in the "Change your password every X" systems, as it makes it more likely to make bad passwords, or forget them, and in most security scenarios the weakest link is people.

If we wanted to take things a step further than "what you know" and "what you have" then you can go down the list of the following:

  1. What you know - passwords
  2. What you have - physical keys, wallets
  3. What you are - physical traits like fingerprints
  4. Where you are - your physical location, IP location, relative to your last location, etc
  5. Something you do - observable actions (this one isn't that common)

(ref)

Logging in with another service doesn't necessarily mean they get my password, they do get a token that represents me but my password should be secured by 1 party. I try to login using the same account for this reason, as it should lessen my exposure of passwords out in the wild.

Finally, I wanted to bring up I remember reading there are ways to still prevent quantum computers from destroying our current security, but I totally forgot where I can find a reference for it. πŸ€”

Collapse
tootomthumb profile image
tootomthumb

The need to replace usernames/passwords with something that is easy to use, operates on any platform, inexpensive and secure has been a challenge that many security experts have recognised for over 20 years. Unfortunately that's a big challenge.

By developing a whole new field of cryptography MIRACL miracl.com has managed to do just that. It uses Identity Based Encryption and a Zero Knowledge Proof protocol meaning this one-step login process is resistant to Credential Stuffing, Man-in-the-Middle and Phishing attacks, just to name a few.

The Multi Factor Authentication is provided with Something You Own being a software token and Something You Know being your PIN. Importantly the PIN only remains in your head and is not stored or verified by any other server. It works by recombining your PIN with the software token to create a cryptographic key - LOCALLY! Once you have a key you can prove your rights to authenticate on the service verifying you. Importantly NO PERSONAL DATA is stored or transferred at any point!

There's bucket loads to explain but in comparison to some other alternatives mentioned here like SQRL, MIRACL Trust doesn't require any form of hardware like a secure keycard, biometric reader or even mobile. So it can be deployed on any platform such as desktop, mobile, smart TVs or anything that can run a browser or a native app.

Unlike 2nd step protocols using things like SMS Texts or authenticator apps, it is single step. One PIN and you're in. Nor does it require a download or installation of any software, although a native mobile app will need to incorporate some SDKs.

Versus Biometrics, no personal information is collected directly or passively (your face/fingerprint or the way you type for instance). You use a PIN and the PIN is YOUR secret and yours alone. You do not have to send it anywhere and it cannot be stolen from the infrastructure. If you do forget it, it is a simple matter to re-enroll your accessing device/browser.

I know it sounds almost too good to be true and since it is proprietary you might be worried that it's priced for big banks. True, big banks use the solution but it has been designed to work with large, relatively low value, B2C networks of any size...1-100,000,000. The first 1000 uses are free each month and it is entirely free for any non-profit/charitable/academic use. You can try it out here trust.miracl.cloud/get-started.

FULL DISCLOSURE: I'm the Chief Commercial Officer of MIRACL Technologies Ltd but disregarding my conflicted position, I think it is an awesome solution that I would be proud to have you guys test, (try to) break and hopefully use in the future!

More than that I would love to have the discussion or debate(!) here, to get some real feedback from the folks who make things happen.

Collapse
cristinaruth profile image
Cristina Ruth Author

This is an interesting concept. Thanks for sharing!

Are you able to share any data in terms of your production use today? What is the largest system your solution implemented on, and how many estimated users are on that?

Since this solution requires only a PIN, I would assume that there would be very low occurrences of forgot password cases. Is this correct?

Collapse
tootomthumb profile image
tootomthumb

Hi Christina, I can share a bit :)

Experian UK and Credit Agricole are both users of the SaaS system and those numbers are quite large although not the whole enterprise/customer network.

Our cryptographic IP has been purchased and is in use by some of the largest companies and organisations in the world, given these are embedded in their products I have to be careful with details. Includes one of the top two largest internet and semiconductor companies. Also organisations like a branch of the US Military.

Our solutions are not limited for PINs either we can create a solution which we call Password + which has all the advantages ZKP, single pass MFA, blocks 98% of attacks BUT uses a password!!! (all locally).

PINs are great because there is a lot of user familiarity with Chip-n-Pin and as you say they are relatively short and easy to remember versus a 12 digit, alphanumeric, uppper/lowercase, inc symbol password!

So you would expect a reduction in forgetting them, but if they do, it is easy to re-enroll.

Collapse
dploeger profile image
Dennis Ploeger

I've read about an idea to get rid of passwords completely for most systems and just use mail or other ways of contacting the user. The user will get a message they have to confirm and then they're logged in.

This is compelling, but it actually boils down to the same thing: if the mailbox (or whatever) it's compromised, everything falls down again.

Additionally, with the rise of more sophisticated platforms like quantum computing, which can easily break even hard passwords in seconds, the problem is taken to a whole new level (same thing for encryption btw).

So I'm basically out of ideas. I guess, the most promising ones are mfa and biometrical scanners.

Collapse
cristinaruth profile image
Cristina Ruth Author

Yeah, it really does boil down to being able to secure the account safely, whatever method is used.

Biometrics is an interesting method, but seems a lot more worrisome for companies to be able to authenticate me using my biometrics? I mean, it doesn't stray far from apple's TouchID or FaceID, so I guess the concept would be easily accepted by the general population.

Collapse
dploeger profile image
Dennis Ploeger

Totally. Putting your finger on something or showing your face is way easier than typing in a long password. However, the development of these technologies is quite pricey, because they need to make sure to design those securely as well.

Thread Thread
piannaf profile image
Justin Mancinelli

Even more pricey to change your biometrics if they are compromised

They are great options for extra steps, though.

Security Keys are great because they are hardware and need to be nearby. If you don't have a supported Android phone there are physical keys you can even hide in jewelry

Thread Thread
tootomthumb profile image
tootomthumb

This trail skirts an interesting topic. The use of emails for enrolment and also enrolment flows in general.

Whatever your authentication system, username/password, 2 step systems like SMS texts, Authenticator Apps, SQRL and even MIRACL Trust all have to rely on some onboarding or enrolment to to the authentication framework.

That's tightly coupled to the process where the service provider either 1) recognises you have the rights to some account/service or 2) you register for the first time for those rights.

My first point is that the process itself is highly dependent on which of those two cases you address. Many services will be happy to use email enrolment to start with, then the user will go through a KYC process or the user will build value in the account. Once the account is established you have to look at using email as the sole proof VERY carefully.

Even a perfect authentication system (such as MIRACL πŸ˜ƒ) can only guarantee that the person who enrolled is the same person who subsequently authenticates. Obviously if the service allows the wrong person to enrol in the first place, then all bets are off. MIRACL's standard SaaS service uses a 2 step email enrolment process, exactly the same user flow as a normal email validation. In the case of a re-enrolment to an existing account I would suggest that before allowing them to re-enrol you have another step, such as an SMS text or a question that only the account holder would know.

The second point is that not all services are equal and one enrolment flow does not fit all circumstances. As an example we have banks who require a physical visit to a branch with identity documents, so an officer of that bank can issue a One Time Password which is then used during the re-enrolment process (re-enrolment because this is almost always against an existing account). Emails are not part of the process. We also have websites with very low value services which allow registration/enrolment with no requirements and re-enrolment with a simple email.

One size does not fit all and emails can play a part under some circumstances. So you need to assess the service and situation, then make sure the technology can support the requirements.

Collapse
ferricoxide profile image
Thomas H Jones II

There's a number of options available or in the works. Most of the options take the form of trust-proxies or tokens (something verifies that you're you, then, via a trust-web, effectively vouches for you with other systems). Some of the trust-proxies that establish your "youness" are kind of creepy, though. So, it might be a hard sell to get them widely adopted (do you really want to have to use a login system that knows you're you just by the way you walk or type or other, even more personl, uniquely-identifying idiosyncrasies or attributes?).

Collapse
cristinaruth profile image
Cristina Ruth Author

Are there any available options today that are NOT creepy? Definitely would be a hard sell for those. We would need something that would be a no-brainer for people to switch to.

Collapse
keptoman profile image
mlaj

SQRL looks cool if it gets adopted widely. Still sad that it can't do cross device tho.

The person that will manage to free us from password safely will become a god.

Collapse
cristinaruth profile image
Cristina Ruth Author

Oh definitely! That person/company will make big $$$.

I tried a quick google on SQRL but found too much text. Could you give a high-level summary of what it does?

Collapse
keptoman profile image
mlaj

en.m.wikipedia.org/wiki/SQRL

"SQRL (pronounced "squirrel")[3] or Secure, Quick, Reliable Login (formerly Secure QR Login) is a draft open standard for secure website login and authentication. The software typically uses a link of the scheme sqrl:// or optionally a QR code, where a user identifies via a pseudonymous zero-knowledge proof rather than providing a user ID and password. This method is thought to be impervious to a brute force password attack or data breach."

It's like 2FA mixed with OAUTH on steroids for everything, without a third party.

Basically you have to have the app/software on your device to be able to use it. You only need to remember your master password, and theoretically any other login would be made using SQRL.
The inventor also added a few different ways to get your account back if it gets hacked or stolen.

A good idea on the surface, but the main problem is that it needs to be used almost everywhere for it to be worth it. Still a very good idea tho.

Collapse
thecuriousone profile image
theCuriousOne

I browsed through the comments and noticed no one mentioned Fido2 standaed fidoalliance.org/fido2/. It has been in development for some time now (plus all modern phones has the standard implemented for android since version 7)

Collapse
cristinaruth profile image
Cristina Ruth Author

Thanks for this! I actually recently found about WebAuthn as well. Didn’t know it’s under FIDO. I’m so excited to see these implemented everywhere.

I saw a demo around WebAuthn and the user experience is so easy!

Collapse
minkovsky profile image
Filip

My electricity provider uses a system where instead of a password, I can have a one-time link emailed to me to log in. Sure it takes a fair chunk of time compared to a password autofill, but I actually managed to never set a password with them and always use the OTP. Why? Because I believe that demonstrating control over a certain known identity provider is much more secure than demonstrating knowledge of a secret. And I trust Google a lot more to keep my account secure against other people who aren't Google than my electric company, for whom backend development and infosec aren't core parts of the business. I like this approach.

Anecdotally - at my previous workplace, there was a handful of customers who habitually used the 'reset password' option instead of remembering their password. The audience of the product was not what you might stereotype as super tech-savvy but I have a feeling they knew more than they let on.

And finally, Mozilla has a little known project to offer this type of OTP-by-email as a service that you can either host yourself or use their public instance for testing: portier.github.io/

Collapse
josegfv profile image
Jose Fernandez

Cristina, the solution is here: Secure Quick Reliable Login (SQRL), see more information at grc.com/sqrl.
I hope this gets implemented everywhere, I have implemented in my Wordpress site and works very well.

Collapse
omerxx profile image
Omer Hamerman

1Password FTW!

Collapse
cristinaruth profile image
Cristina Ruth Author

It definitely helps manage the password craziness for sure. I have it not just to manage the passwords but to help share passwords securely :)

Still though, I do wish we didn't have to manage so many passwords at all.

Collapse
trinly01 profile image
Trinmar Boado

Single Sign-on (SSO) 😍😘

Collapse
cristinaruth profile image
Cristina Ruth Author

I forgot about SSO, and it definitely helps, for sure. It's kinda like the login with x system we see today. Systems are setup to "trust" another system in terms of who the user is, and user metadata is passed along as needed.

Collapse
hwolfe71 profile image
Herb Wolfe

What about a password manager?

Collapse
cristinaruth profile image
Cristina Ruth Author

But why would you need a password manager? Because of the bajillion passwords you have to remember.

Doesn’t quite solve the root issue. πŸ˜•