The dangers of using a single-password-only system are by now well documented. If a user is lazy and uses simple, easy-to-remember passwords like “1234” or “password,” this is nearly as bad as having no password at all. At the same time, many people can’t remember a random 16 character string of random alphanumeric characters, and forcing them to do so can make a password system slower, more cumbersome, and more inefficient than it was ever intended to be. There are ways to implement security systems that use passwordless authentication.
In some respects, these are faster, more efficient, and more convenient than taking an existing, traditional password system and bolting on more laborious requirements to increase security. Key pairs are one way to make data safer than ever before.
One of the safest ways to protect data is to encrypt and lock it. Encryption means that data is “rewritten” so that viewing it makes no sense; it appears to be random gibberish. Locking it means that it can’t be accessed by just anyone and requires specific interfaces, namely a key, to be able to open a file and view it. Keys can take many forms, whether that is an additional password, a biometric requirement, such as fingerprint, or for maximum security, the use of a key pair, which adds extra levels of authentication.
A key pair is an incredibly secure form of passwordless authentication for critical data. Users receive two cryptographic keys. One key, known as the “public key,” is selected from a public key cryptography function. The user then receives a “private key,” known only to the user.
Mixing Authentication Technologies
Now, if a user wishes to access data on a device, multiple authentication procedures are required, none of which require passwords. Unlocking a smartphone may require biometrics, such as a fingerprint or facial recognition. However, accessing the data requires the use of the public key. Even then, however, just having the data doesn’t mean being able to read it because it’s still encrypted and indecipherable. The private key is required to decrypt the data and render it once again in usable form.
By requiring two keys, a key pair system eliminates traditional, easier forms of cyber-attack such as phishing or “man in the middle” attacks that require a password. The two key requirement also means that even stealing one key doesn’t grant data access since both are required for access and decryption.
If you’d like the added peace of mind from using FIDO key pairs to protect your customers, infrastructure and important data, read here to learn more.