A Step-by-step Tutorial to REMME Passwordless WebAuth Demo
Hello all! I am excited to learn that REMME has released their Passwordless WebAuth Demo today. You can refer to their post for the official announcement. I have been talking about the need for passwordless authentication and I think people are wondering how that might actually work. The demo from REMME is a perfect showcase of how passwordless authentication works. The REMME's team provided some simple instructions in their announcement on how to test out the demo. I tried and find that it will be better if there is a tutorial with much detailed steps. So I have prepared this tutorial to walk you through how to test the REMME WebAuth demo.
Step 1 - Visit REMME's Demo Site and Register
Visit the site https://webauth.remme.io/ and you will be prompted to register. Fill in your details and click "Ok". Remember to take note of the password you entered, this will be used later for certificate import.
It will then prompt you to setup your Google Authenticator/Authy.
Open the Google Authenticator/Authy app from your phone and scan the QR code presented on the screen to add REMME to your app. Next, enter the 6 digits code from your app to the site and click "Ok".
Step 2 - Download and Import your Personal Certificate
The REMME site will automatically generate a digital certificate for you. This is a personal certificate which will be used by other sites, that are using the REMME's WebAuth Framework, to authenticate you.
After you downloaded the certificate, the next step is to import your certificate to your browser. For this tutorial, I am using FireFox. Click on Settings -> Options
Then Privacy & Security -> View Certificates.
Select Your Certificates -> Import. Choose the certificate file which you have downloaded just now.
You will then be prompted for the password which you have set previously in Step 1.
Once done, you should be able to see the certificate appearing in your FireFox browser certificate store.
Step 3 - Logging in
With the certificate imported, you are ready to login! Head back to the demo site and click on Login with certificate:
Click Ok when prompted by the browser
Next, enter your Google Authenticator/Authy code
Congratulations! You have successfully logged in!
You might notice that you can only login with your FireFox browser and not other browsers. This is because you have only imported your personal certificate on FireFox. Follow Step 4 if you are interested to test the demo site with another browser.
Step 4 - Import your Personal Certificate to another Browser
In this step, I will show how you can import your certificate to the Chrome browser and login the same way you did in FireFox.
Open up Chrome and click on Menu -> Settings:
Open up the Advanced options and click on Manage Certificates
When prompted, select Personal -> Import
Click Next through the Wizard
Browse for your certificate file and enter your password for import
Carry on clicking Next and Finish.
Import will be successful and you can then login the same way as you did on FireFox!
I hope you find this tutorial useful and you can visualize how passwordless authentication works. With such an authentication framework, there will be seamless authentication across different sites and you do not need to remember different passwords for each of them. The security is further enhanced with 2FA requirements. Do you prefer this kind of authentication mechanism? Do share your thoughts and thanks for reading!
@culgin thanks for the detailed steps. The pictures definitely streamlined the whole process.
I remembered using Meebo back in 2011. Meebo allowed users to log in to all their IM and social media accounts by just logging into Meebo.
But Remme does one (or two) better by improving on security and doing away with passwords altogether.
Thanks! By your description, Meebo seems to be a single sign-on (SSO) solution. REMME is capable of providing SSO as well and it will also be a passwordless solution. That being said, the project is still rather early in its development. So do not expect it to gain widespread adoption anytime soon.
RESTEEMED | UPVOTED | FOLLOWED | THANK YOU
I got in Remme very early, thanks for the update.
Thanks you! I also have some REMME and I got them since ICO.
What happens if I lose my phone with the Google Authenticator on? or if the phone falls into a pail of water and was destroyed?
Unfortunately, if your Google Authenticator is lost somehow, you will lose all your 2FA seeds. It means that you have to reset your 2FA configuration with every site (not just for REMME).
That is why I prefer to use Authy, which by default help users keep an encrypted backup of their 2FA seeds. By doing so, Authy users can restore the 2FA seeds to another phone whenever they need to.
someone said you can snap a photo of the "QR" code and keep it as a backup? so new device just resnap the QR code?
Also... Ive heard 1Password app can help with it also..
Problem is some of the 2FA sites, do not let you reset the 2FA easily.. especially crypto sites
Sounds interesting! So who owns the certified browser owns everything?
If someone gain access to the browser with the imported cert, he/she will be able to authenticate to all the connected sites. But that holds true for all websites (e.g. Facebook and Twitter) which allow users to keep a logged in session on their browsers.
The risk comes when somehow someone got hold of your certificate (with the private key). But even with that, your key should be still stored in encrypted format and require a password in order to be imported to a browser.
On top of that, REMME also supports 2FA, so your Google Authenticator/Authy will also need to be compromised in order for others to gain full access.
Thanks, I shall check that out
thank you have shared
I have upvoted for you
Thanks for reading and the support! I see that you are trying to develop the Vietnamese community. Over here, I am trying to build the Singapore community with a few others. Started to follow you too! Perhaps we can do some collaboration between the 2 communities in the future.
Very willing to support your comments
That's a really good article, with nice explications for the whole process! Resteemed and upvote my Cyber-Security buddy ;-)
Thanks! Saw your blog and noticed you also write a lot about cyber security. I have followed you too!
Congratulation culgin! Your post has appeared on the hot page after 20min with 72 votes.