Everyone who loves passwords and multi-factor authentication, raise your hand.
“I’m MEEEE!” I want to yell at a website that’s asked me for the 4th time to go to my email and phone and get a 6-digit code, or go to my email and click another link, or… some stupid thing.
Here’s another thing that drives me nuts: I have a password for my Mac and another for my Google Account. I’m in security, after all, so they are different.
The point is, I know both by muscle memory. Do you know how many times I type the wrong password into the wrong prompt? Any guesses? Nope. More. A lot.
I’m ME!!! Why can’t I get into my accounts by just being ME? I can use my fingerprint for my pixel phone and FaceID for my iPhone. Why can’t I do that everywhere?
Wait? Is there something new out there? Can I finally give passwords the finger and move on? Please tell me about it!
Let’s start with Multi-Factor Authentication, specifically the One Time Password (OTP) type.
If you wanted to play the blame game (and I do), you could blame passwords for the existence of SMS OTP and its variants (and I do that, too). Passwords are weak and can easily be stolen or guessed. So to prove (digitally) that I am who I say I am, websites prompt me to enter a second password — information that shows I have something or am someone, and if someone stole my password they hopefully do not have access to my SMS messages. Thanks, passwords, for introducing more complexity into my life.
WebAuthN (which my co-founder Alex wrote about here) is changing that. WebAuthN is a not-so-sexy technical term for Web Authentication. Passkey is a sexier marketing term for the latest extension of WebAuthN. Instead of inventing a complex password you’d never remember or reuse everywhere, or a simple one that a hacker would figure out (qwerty anyone?), WebAuthN lets people securely log into websites or applications using a phone or a security key. Because your security key must be physically accessible, and your phone needs to be biometrically (or PIN, if your finger is dirty) unlocked and in proximity. you get a much stronger second factor without needing to wait for that annoying SMS to copy-paste What? I’m drinking whatever Kool-aid you are making! How does it work?
I’ll give you the user experience, then rip the cover off and tell you geekier folks how it works:
- Enter your user name in the website login form and click to authenticate.
- Pickup phone, unlock via FaceID or Fingerprint
And that’s it. No password. Simple. And way more secure.
Here’s what happened behind the scenes: When you registered your user ID on the website, you stored a passkey instead of a password. During that process, WebAuthN created a magic key that was stored on your phone. When you logged onto the website from your laptop, WebAuthN used Bluetooth from your phone to communicate with your computer. It validated the physical proximity of the phone and verified who you were with the biometric unlocking of your phone. And you authenticated! The result is passwordless multi-factor authentication that is easy to use and phishing-resistant.
The technology is backed by the FiDO alliance, with the support of players like Apple, Google, Microsoft, (YeshID!) and others, which means your devices are likely already compatible and ready to use WebAuthN today, where they are supported, and enjoy a secure, passwordless experience built into your device – no new software required!
In security, we always talk about how there’s no “silver bullet.” But a great “bronze bullet” is focusing on the protection of identities & credentials.
If you are a small or mid-sized company using Google Workspace and want to protect yourselves against identity-based attacks (which are involved in 85% of breaches) with a secure solution that is dead simple to use, you’ll want to sign up for the YeshID Alpha, coming in April. Subscribe to our mailing list to learn more.