The Complete Magazine on Open Source

Security without Passwords

, / 8587 0


Passwords have their own inherent vulnerabilities. They are prone to being forgotten and sometimes being hacked. While a strong password can provide security, there are other larger issues involved. In this article, the author takes a look at various methods of online identity authentication other than the ubiquitous password.

The following example is indicative of the risk faced by most people when using technology for financial transactions (

Sir Bernard Hogan-Howe, the metropolitan police commissioner, said customers who had fallen foul of online fraudsters were being “rewarded for bad behaviour” instead of being incentivised to update anti-virus software and improve passwords.

At least from newspaper reports, it would appear that it is not easy for Indian consumers to get back their money in case of online frauds. The sad part is that in an effort to be ‘easy to use’, security considerations have taken the back seat and now it is tough to find alternate means of tightening security. Fixing bad systems is never easy.
For example, reports that Google hopes to allow passwordless authentication on Android phones by taking into account “…a combination of signals — like your typing patterns, your walking patterns, your current location, and more.”

Client certificates for authentication
Identity management has been an issue since the start of the Internet revolution. X.509 certificates date back to 1988. X.509 requires certificates to be issued by a certification authority (CA). A CA is needed in order to ensure trustworthiness of a certificate. An organisation could set up its own CA using openssl and issue certificates to each of its users. Its Web server has to be configured to authenticate those using client certificates.
As users import their client certificate into their browser, they will get access to the website and not be required to take any further action.
However, hardly anyone uses such authentication. The reasons are not hard to understand.
Distribution of the certificates is complex. It’s hard for users to manage their certificates. Moving certificates across devices or even browsers is also quite a complex task.

Smart cards for authentication
Some of the problems associated with client certificates can be managed by placing the certificate on a smart card. The smart card reader can be enabled in Firefox using the Preferences > Advanced > Certificates > Security Devices options. The US Department of Defence is probably still a major user of this method. But authentication using smart cards has not picked up in spite of the availability of USB tokens which eliminate the need for a smart card reader.
While this method eases the issues of a user managing client certificates across multiple devices, there remains the issue of how to manage keys. You certainly would not like to carry around different smart cards for different sites.
An interesting example is the Estonian ID card (see Wikipedia) which “…is also used for authentication in Estonia’s ambitious Internet-based voting programme.” Any organisation in Estonia could, in principle, trust the public key of a person using the Estonian ID card.
There is even an OpenPGP card. The key pair is stored on the card; however, the private key can never be extracted from it. You may, however, replace the key-pair with a new set.
The card works along with the GnuPG software for digital signing and cryptographic purposes. It is also available as a USB token.

Universal Two Factor (U2F) standard
You might have come across the two-step authentication introduced by Google. One of the options is to use a security key developed by Google and Yubico for two-step verification in Google accounts. It is currently also used by Dropbox and GitHub. The key is supported by Chrome. Currently, an add-on is needed, which enables the security key to be used in Firefox.
Google has been immensely influential in making servers switch to HTTPS. The company may succeed in getting individuals to use security certificates as well! The price of a security key online is US$ 18. Hence, it can be a fairly inexpensive option for an easy-to-use additional layer of security, especially for online financial transactions.

OpenID – distributed authentication
While OpenID does not eliminate the need for a password, it does reduce the number of passwords you may need. According to Wikipedia:

As of March 2016, there are over 1 billion OpenID enabled accounts on the Internet and approximately 1,100,934 sites have integrated OpenID consumer support.

If the website providing the identity services switches to an authentication process that doesn’t rely exclusively on passwords, every site using its services benefits.
The drawback of OpenID is one of trust.

The identity provider does, however, get a log of your OpenID logins; it knows when you logged into what website, making cross-site tracking much easier. A compromised OpenID account is also likely to be a more serious breach of privacy than a compromised account on a single site. (

The perceived drawback is an incentive for serious OpenID providers to ensure greater security for authentication and win the trust of users.

A plan for traveller identification
When travelling abroad, people from various organisations need to verify your details like your passport, visa, tickets, etc. This takes time, as can be seen with the long lines at airline and immigration counters. If you lose or misplace any of the documents required, it becomes a very serious issue. And losing/misplacing documents during the fraught, tension-filled environment of international travel is not all that difficult.
Sita, an organisation in the travel trade, hopes to address the issue by encrypting the travel documents using public key encryption. The encrypted data would be stored on a distributed database (which was created for bitcoins) using block chains. Travellers would give their public key (quite possibly using a 2D bar code) during the journey, where ever needed, for a faster and simpler travel experience.
This plan and the security key are examples of higher security with greater ease of use. A common thread in all the above-mentioned cases is the use of private/public key encryption.

Using OpenPGP in Firefox
Accessing OpenPGP keys in a browser needs a plugin. Your Google search will lead you to WebPG and Firegpg. The latter project has been discontinued. WebPG, which seems to work for some and not for others, was last updated in January 2013. So, here is an opportunity for some students to revive or create a project to enhance the security of Web applications, e.g., by enabling users to seamlessly and digitally sign their critical data.
As an increasing amount of our data and transactions are online, with fewer human interfaces to resolve unexpected failures, it is imperative that the developers think of security first and get rid of the meaningless inanities, like a typical line at the end of various statements, which states: “This is a computer generated document and needs no signature.”
The user should be able to trust the site and, more significantly, the site should be able to identify and trust the user!