There's been a lot of focus on replacing passwords for authentication lately. Google and Twitter have each put forward proposals to address issues in authentication, Google's based on browser modifications and Twitter's based on mobile phone usage. Many people advocate multi-factor authentication while others advocate email-based authentication or even more unusual ideas. While many offer realistic solutions for the headache of passwords and are more secure against some attacks, we need a solution that can address all of the related issues:
- Users can't be expected to come up with secrets or remember them or re-use them or be responsible for not accidentally giving them away.
- It cannot rely on email; it needs to work as the authentication method for an email system.
- It cannot rely on phones or other devices, since not everyone is comfortable sharing their phone number or purchasing new devices.
- It should be able to take advantage of mobile devices for multi-factor authentication if available.
- It should ensure clients' data is as secure as the clients' authentication, even with a problematic CA system.
- It needs to be in a workable form now, with code available and maximally compatible with existing browsers, servers, and devices.
EasyAuth (EZA) is a proof-of-concept passwordless authentication system based on client SSL certificates that meets all of these challenges.
- It’s much easier on your users than the typical password and secret question systems. Ordinary people just can’t create and remember random passwords for every site.
- This system stops attackers who can find out or guess security questions or guess or brute-force passwords. These are the same kind of attacks that have worked again and again against many celebrities, website owners, and ordinary people.
- Because EZA uses modern crypto, malicious websites with fake login pages that can steal passwords won’t work. You can re-use the same certificate on all websites and unlike re-used passwords, even if one site got hacked or was malicious itself, you’ll still be secure on the other sites. Or you can easily use different certificates to maintain anonymity.
- This system even stops advanced attackers who can “man-in-the-middle” your connection and strip the encryption of other sites with fraudulent certificates. Hundreds of organizations can issue certificates and many have issued bad certificates before. This system doesn’t rely on trusting any of those organizations, since it verifies your actual key!
- This system supports two factor (or 3 factor or 4 factor or…) authentication that’s stronger than even other multi-factor authentication systems.
- EZA has stronger account reset processes, using multiple devices and/or a printed or mailed reset code, not like the typical insecure account reset questions whose answers are all too easy to guess or find out.
- EZA even supports smart cards for users that have them, for true multi-factor authentication and the highest level of security.
- EZA does not require any new hardware, and it is compatible with almost every browser and platform in use today.
- EZA is BSD-licensed and github-hosted so you can check out the source, use it in your own projects, or even try it out right now from the perspective of a user at https://scriptjunkie.us/easyauth/.
It’s time to stop blaming the victims and give people something better.