Hey Steemians! If you have read my article on how to secure your passwords, you should know that there are 3 main authentication factors being used right now,
- What you know (e.g. Passwords, PINs, secret question and answer)
- What you have (e.g. Cardkeys, ID cards, physical tokens)
- What you are (e.g. Eye prints, fingerprints, facial recognition)
Of the 3 factors, "what you know" is the most commonly used authentication factor. Almost all applications will need you to remember a password. Some allows you to add one more authentication factor to enhance security, but most applications still do not support that. If you think about it, "what you know" is the most difficult authentication factor for you to use, yet the easiest for hackers to compromise.
Note: This article is rather lengthy. So if you do not have time, you can jump straight to the TL;DR section.
Difficult for users. Easy for hackers
When we discuss security, we often breakdown the discussion into 3 dimensions, people, process and technology. The current state of passwords management is rather mature. We have technologies that are able to enforce strong and complex passwords. We have processes to detect attempts of passwords attack. However, in many cases, people are usually weakest link. It is close to impossible for our human brain to remember so many different complex passwords, therefore we take shortcuts.
A common shortcut is to use a standard password, then append different characters behind for different sites. We also create passwords based on something close to our daily life (e.g. spouse's name, birth dates, pet's names and etc). These shortcuts inevitably make it easier for hackers to guess and crack our passwords. To rub salt to wounds, thanks to Moore's law, our CPU/GPU processing speed is improving at a rapid rate. We can now expect a randomized 9 characters password, having upper case, lower case, numeric and special characters to be cracked within 2 hours through the use of botnets! Think about it, how many of your passwords are having more than 9 randomized characters with that level of complexity. You can head over to this site to find out more. Note: Please do not use your real passwords!
In addition, each time a company is breached and users' passwords are exposed, hackers gain a new advantage by adding those leaked passwords into their arsenal. Furthermore, unlike "what you have" and "what you are", hackers do not need to gain physical access to you, or what you have, in order to compromise you accounts. As you can see, we are losing this war against hackers. Won't it be nice if we can stop using passwords altogether?
REMME's tagline is,
No more passwords — no more break-ins.
Saying there will be no more break-ins is a lofty goal and I am a little skeptical on that. But, REMME is sure to be able to offer an "almost" passwordless authentication solution (I will talk about why it is "almost" passwordless shortly). REMME leverages on the proven technology based on the Public Key Infrastructure (PKI). PKI is basically a network which allows participants to authenticate each other with the public/private keys concept. I will save the details of PKI till a later post as there are many concepts around it and it certainly is worth an article of its own.
Essentially, once we start to make use of public/private keys to authenticate each other, we can do away with the need for passwords. If it is difficult to grasp how that might be possible, I encourage you to try out REMME's demo site. Through the demo, you will be able to visualize how it works. For someone new to this authentication mechanism, you may not be sure how to even start. Hence, I have created a simple tutorial to help walk you through the demo.
Side-tracking: REMME's project team discovered my tutorial and mentioned it in their latest update on 1 Jun! I am ecstatic to be featured by them. Hereby, saying my thanks to the REMME's team if they also catch this article 😆. Below is what they wrote in their update article:
Ok, back to the topic. When we shift towards the public/private key authentication mechanism, we are actually shifting from the "what you know" factor to the "what you have" factor. If you have tested the demo, you will realize that the private key is stored in your browser. That way, hackers will not be able to remotely compromise your account unless they get hold of your private key. You may argue that there is still a chance where hackers manage to compromise your PC remotely and retrieve your private key. That scenario is indeed possible but it is highly mitigated and here is why.
Earlier, I mentioned that REMME is offering an "almost" passwordless solution. This is because, your private key is actually stored encrypted with a password. Typically, you will not need the password after the initial setup. But you might still need it if you want to import your private keys from one device to another. By encrypting your private keys, it also make it difficult for hackers to use your private keys even if they get hold of them. In addition, REMME also allow applications to add one-time password (OTP) protection through the use of Google Authenticator. So even if hackers manages to get hold of your decrypted private key, they are still unable to break-in unless they also get hold of your phone.
Your same public/private key pair is used to authenticate yourself into all applications that leverages on REMME's PKI authentication mechanism. Hence, you will be using passwords lesser and get a more seamless authentication experience across applications. Eventually, we might really reach a stage where we can have #NoMorePasswords. That being said, using the PKI authentication mechanism comes with another set of problems. I will cover them in my later article and explain how REMME is able to mitigate those problems with the use of a public blockchain. If you cannot wait to find out more, I recommend you to read their whitepaper.
Today's article is rather lengthy so I included a TD;DR. In summary,
- Using passwords for authentication is the difficult for users and easy for hackers.
- Switching the common authentication method from "what you know" to "what you have" is the way to go.
- REMME is working on a project to provide this solution and you can test it at their demo site
Thanks for reading! Share your pains when using passwords and let me know if you look forward to an alternative solution. What do you think is the ideal way to authenticate yourself then?