You’ve entered a lot of passwords today. A separate password for your work computer, home machine, gmail, dev servers, your phone. Some of them are duplicates or you just used the same password with different casing and numbers at the end - I’m guilty of this. Then when you go to log in somewhere and your browser wasn’t merciful enough to save your password it’s trying all 50 combos you used just to end up resetting it and setting it to something else you’ll forget in 2 weeks.
Passwords are a terrible, insecure experience. you get one database leak and your passwords get auto tried on different platforms and your screwed, or worse they get in to your email and *all* your accounts are screwed.
I think people are starting to realize this and we’re seeing a rise in passowrdless authentication. This is a good thing and if correctly implemented user security will be increased and a lot of new possibility will be opened up.
“Wait!” you might be yelling in to your screen “Service such as login in with Google/Microsoft/Twitter/Facebook/Apple already provide passwordless systems. You are correct, to an extent. In my onion they suffer from the security risks. Because they’re not universal used you’ll still have duplicate passwords, you therefore still risk getting that account breached. Most of the company above use the data to better track you across the web, and you still don’t control the keys. So, yes it is an improvement, but because of central the central control of these services, it’s not the solution. The solution must be decentralized.
Love it or hate it the number one use of passwordless authentication at the moment is “web 3”. Since a crypto wallet is just a private key it can be used for signing and encrypting and there are lots of people already using it for login.
Opinions of Web 3 vary wildly, it definitely has it promises and issues (post for another day), but I believe it serves as a good starting point for a user friendly passowordless login system.
Before I get in to some concepts for how different private key based logins could work we got to address the elephant in the room: Once someone has your private key its too late, if this was deployed on a global level we would have the issue of users just giving there keys away or getting plain text backups of keys taken off compromised computers. If your building a private key based passwordless system you have to make it user stupidity resistant, because if we’re not careful this will be the new weakest link in cyber security. (I’ll do an entire post on this at some point)
With that out of the way lets look at what a passwordless system could look like.
We’ll start with the key and key metadata. This will most likely take one of these two forms:
A bip24 based key centered around a crypto wallet and can be used to generate ssh keys, gpg keys, or what ever other keys are needed. meta data stored on the blockchain (check out log in with ETH
A more traditional key system with the metadata stored in the keyfile.
You would have some kind of application the controls your key and allows apps to interact with it, similar to metamask in the browser, but such a system doesn’t have to be limited to a browser.
When you sign up for a service, you grant it access to your public key and then sign a message verifying it is indeed your key, then the app can read meta data, assigning a display name, contact info, and pfp. To login again you simply sign a message.
Now say we have the entire world using user controlled keys, you now have a ton of things you can do besides just login. Verify social media post and users, decentralized encrypted messaging systems (like vac), GPG on all emails, the possibilities are endless and extremely exiting (I’m gonna have to do a entire post on this, too).
A key based passwordless system, if correctly implemented, is a gateway to user privacy and freedom. It’s starting to get more attention as the dangers of passwords are becoming ever more apparent and user controlled keys are becoming more common.
Check out vouch.io they already do this
Why not just passphrases and a password manager? Or just adding keys to the same such manager. I don't think web3 needs to be involved or that the downsides of the technology memed under that name are worth it.