Web Identity Showdown: Ethereum vs WebAuthn
I recently came across an article titled “Ethereum Single Sign On Might be the Future of Internet App Log In“.
Like the more well known Bitcoin, Ethereum is a cryptocurrency. But there are many who would argue that the platform supersedes its value as a cryptocurrency by providing an ecosystem for building decentralized apps and so called smart contracts.
While the idea of using a cryptocurrency platform for SSO seems out there at first glance, Gary Gensler actually discusses the use of blockchain for digital identity in his MIT blockchain lecture series (though a bit disappointingly, his discussion ends up being far more philosophical than technical).
The article proposes that users register a .eth domain name and then use that as “a decentralized self-custody username system” and as a replacement for SSO.
For a number of reasons, this approach seems like a reach to me given the general lack of technical savvy among the public and general lack of knowledge of the crypto ecosystem. And ironically it creates a centralized identity on a system that’s meant to be decentralized in nature.
Rather than Ethereum or cryptocurrencies, I think that the most likely technology that will change how we identify ourselves on the Internet in the near future will be a protocol called WebAuthn.
The Problem with Passwords
Before we get into WebAuthn, it helps to understand what is fundamentally broken with the way identity verification is handled on the Internet today. By and large, identity is still handled using usernames and passwords.
And it is the password that is the weakest link.
There’s no question that the state of password security is problematic and has been for a long time. When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use.
It goes into great detail about how asinine many long standing password security policies can be in the face of reality and I recommend reading it in full.
One of the points made is that once a password or hash is compromised, immediate action should be taken rather than wait for an expiration period. And therein lies the crux of the problem: passwords are much easier to hack than most folks think.
An Arstechnica article from 2013 talks about how hackers can break cryptographically hashed passwords with a 90 percent success rate.
Enter Multi-Factor Authentication
To counter the inherent weakness of passwords, multi-factor authentication (MFA) was developed to add a second factor of identity verification.
The National Institute of Standards and Technologies (NIST) digital identity guideline recommends the use of two or more authenticators for multi-factor authentication. These fall into three simple categories:
- Something you know – like a password
- Something you have – such as a physical device or access to a secure resource
- Something you are – or the use of biometrics
MFA on the Internet largely relies on something you know and something you have. Typically, the thing that you “have” is access to an email account or phone number to receive a confirmation code or one time link.
But this has its own problems. How many of us dutifully log out of our email clients? What if your email account has been compromised? What about the known issues with SMS and just how easy it is to intercept SMS messages and reports of SIM swap hacks?
Multi-factor authentication itself is sound, but the problem is that the way it is executed today on the Internet has fundamental flaws.
How WebAuthn Will Change Identity on the Internet
That’s where WebAuthn comes in. WebAuthn is a protocol that has been developed by the Fast Identity Online (FIDO) Alliance.
The organization includes members like
- Amazon, Facebook, Apple, Microsoft, and Google representing the tech industry.
- Visa, MasterCard, American Express, and PayPal representing consumer financial transaction processors.
- RSA, Ping Identity, and various other identity and security vendors.
- As well as Intel, ARM, and Qualcomm representing chip suppliers.
Like cryptocurrencies and SSL, it is based on a public-private key encryption scheme to verify identity using something you have: access to a private key. While it is commonly referred to as enabling “passwordless” authentication, it should be clarified that it simply means no password is stored nor transmitted in the process of identity verification; but a local password can still be involved in the process.
Let’s take a look at how this works in practice. There are a number of websites where you can try it out.
WebAuthn.io is a website where you can try this out for yourself on your laptop with Windows Hello. Enter a username and click register and you’ll be prompted to reconfirm your device credentials using the mechanisms available on the device. What’s important to understand is that these authenticators — for example your fingerprint data — never go over the network and that’s what makes WebAuthn so secure.
Today, WebAuthn is already being adopted by Twitter, Facebook, GitHub, and other websites but primarily as a second factor rather than the primary mode of authentication and always using a physical security token to manage access.
For me, what’s more interesting is adopting it as a primary mode of authentication. Using it with a PIN, password, or biometric always covers 2 NIST authenticator types. Access to the physical device which holds the private key is something you have. And the device PIN or device password is something you know whereas biometrics using your fingerprint or face ID is something you are.
Is It SSO?
WebAuthn is not an SSO scheme because the credentials are always scoped to a specific web application.
And it has some obvious differences that make it unsuitable to replace SSO.
In an enterprise, for example, an SSO identity broker can be used to manage enterprise wide systems access whereas this is not the case with WebAuthn.
On the Internet, WebAuthn would offer no central management of identity as would be the case when logging in with Google or Facebook or Office 365 for example.
But because the user is able to reuse an existing ostensibly secure identity combined with access to a device, it feels like SSO to the end user and has the benefit of isolating a user’s identity to the scope in which it is registered. To me, this is even better than SSO because a malicious user accessing an unsecured terminal would not then have access to dependent systems as would be the case with SSO.
For example, if you walk way from your PC without locking it and you’re logged in to your Google or Facebook account, systems using Google or Facebook as an SSO provider could also be compromised.
On the other hand, a WebAuthn secured application requires the user to present a physical token or re-authenticate with device credentials.
This also has big benefits for privacy because without a centralized identity provider, there can be no tracking of the user’s applications and logins.
Adoption of WebAuthn has been surprisingly slow given how promising it is in finally killing the password as the crux of authentication schemes on the Internet.
I think that there are five main reasons for this.
First is that I think that there isn’t widespread knowledge of WebAuthn as an authentication protocol in general.
Second is that Apple did not support it in Safari until the end of last year with the release of Safari 14 and this lack of support meant that it wasn’t practical because many users would not be able to use it.
Third is that Windows only supports it in newer versions of Windows from Windows 10 build 1903 from May of 2019. The latest stats from May of this year indicate that almost 13% of Windows users are still on Windows 7 or lower.
Fourth is that many, many enterprises are still just transitioning their enterprise systems to single-sign-on which has become more turnkey and “baked in” as they adopt Office 365 or Google Enterprise.
Fifth is that I think many companies are still trying to figure out how to work around the main usability shortcoming with WebAuthn: the device dependency. Because the private keys are device specific, loss of the device equates to irrecoverable loss of access without an alternate mechanism.
This is actually a similar problem to one that occurs in cryptocurrency when you lose access to your private keys: your Bitcoins are gone forever.
All that said, I think that WebAuthn is without a doubt one of the best ways to add highly secure, yet highly convenient access to any web application and should be on your radar. With broad, cross-industry backing and a focus on privacy, it seems like the stage has been set for WebAuthn to redefine how we manage authentication on the Internet.