Moving Towards a Passwordless Web with Webauthn Protocol
Passwords are vulnerable. Since users must remember so many of them, they often reuse the same password across different applications or use weak passwords they can easily remember. Either way, such behavior means that it’s fairly easy to break into somebody’s account if it’s guarded only by a password. Databases containing password lists are breached regularly, which worsens the problem.
81% of all hacking-related breaches leverage stolen or weak passwords.
Multi-factor authentication (MFA) was created as a response to password issues. With multi-factor authentication, in addition to checking the user’s password, you may confirm possession of the account by entering a code sent through an SMS or generated by a specialized authenticator app. Accounts secured with multi-factor authentication are much better protected if somebody manages to steal your password. With MFA, an attacker would need to have access to your other factor to perform full authentication.
Multi-factor authentication is vulnerable to a different attack vector: phishing. Even if you use a strong password and a second factor, you can still fall into the trap of entering your credentials on an attacker’s website. According to Google Transparency Report, since 2016, phishing has been much more common on the web than using malware to steal passwords.28% of users using two-factor authentication.
These problems have caused the industry to seek out new solutions to authenticate users securely — solutions that don’t rely on passwords and are immune to phishing attacks. One such solution is FIDO2. Overseen by FIDO Alliance, FIDO2 is a set of standards that enable external authenticators, like key fobs, to perform user authentication. This standard was then adapted to the web through WebAuthn.
How Does WebAuthn Work?
Engram has always been at the forefront of online security, and with WebAuthn, the login experience becomes both smoother and safer. But what happens behind the scenes when you use WebAuthn on Engram?Registration: Your Entry into Enhanced Security
When you decide to enhance your Engram account’s security using WebAuthn, the platform prompts you to provide an “authenticator.” Depending on your device, this could be a fingerprint, a physical security key, or another trusted device, such as your smartphone.
Once you’ve selected and provided your authenticator, a unique cryptographic dance commences. Your device generates two cryptographic keys: a private one, safeguarded on your device, and a public one. This public key travels to Engram and takes its place securely within your user profile. And although it might sound technical, rest assured: this public key can’t be misused to mimic your identity or snoop into your data.
Authentication: The Secure and Swift Login
Every time you want to dive into Engram thereafter, WebAuthn showcases its brilliance. Engram sends a cryptographic challenge to your device—a complex data piece that needs validation.
Responding to this, your device uses its stored private key to sign this challenge, vouching for its legitimacy. This signed challenge then journeys back to Engram. Now, Engram’s role is to ensure that the returned signed challenge harmoniously matches the previously stored public key.
When there’s a match, voilà! You’re granted access into Engram. It’s akin to a secret, unbreakable handshake exclusive to Engram and your device.
The cornerstone of this process is the unyielding security it promises. The private key, pivotal to the authentication, remains confined to your device, making the act of impersonating your login an almost impossible task.
