Evolution of Authentication: From Passwords to Passwordless and the Rise of Web3

Ever observed how the ecosystem around authentication has been changing over ages? The web1 was all about one way communication, which gave little to no thought about authentication as most of the users were consumers and not producers. However, At the start of the web2 revolution - The users became producers and consumers of information and the principle around asynchronous dynamic web pages and APIs came into existence. The advent of the publish and subscribe model of Web2 brought in the need for a strong authentication requirement.

The word authentication in web2 or in general translates as “ID and Password” in all our heads and this authentication type has been the most widely used, even till today. However, there have always been emerging security threats on the password system such as - Weakness, Length, Phishing, Storage, Retrieval and more. Further, the issues around session timings was also becoming a challenge for most of them to manage and maintain the respective tokens for ensuring security. The weakness in this authentication method kept the burning need to keep the evolution of a secure environment alive. Web scraping and bot logins too became a problem and was leading to phishing attacks like never before and as a result most of us would have experienced the inconvenience of “Captcha”.

Sneak Peek Information -

A report published by Statista mentioned that a password containing no more than 7 characters with at least one uppercase letter + number + symbol takes just around 6 mins to get breached. Now, look back at your passwords I am sure we all have passwords that are of the same length or even lesser at times.

https://www.statista.com/chart/26298/time-it-would-take-a-computer-to-crack-a-password/

The problem around managing passwords and its security grew with the number of breaches seen. In the United States alone, the year 2017 recorded over 1632 Million data breaches and over 200M records were exposed as a result as published by Statista. Now, as a result of such massive losses many organisations began the process of authentication outsourcing.

Now, what’s that?

Social media giants and other enterprise security platforms started outsourcing their authentication systems for other applications to use and consume. This way, the possibility for their ecosystem to grow further strengthened and it became extremely simple for smaller applications to not worry about the security threats having outsourced it to giants like Facebook, Google, LinkedIn, Okta and others who spend a fortune on research and development.

Federated Logins:

The transition that’s been occurring so far has moved authenticating in siloes to creating a federated authentication process (Single Sign-on) where there’s a central auth engine helping authentication for independent applications. Now to make things efficient standard protocols are used such as SAML, OpenID, etc. These protocols establish methods to communicate from a Relying Party (RP) to and from an Identity Provider (IdP). The protocols provide a secure way of communication and the standards ensure there’s a scalable approach for the Identity Providers such as Facebook, Google, etc. to reach a broader segment of applications (RP) to provide their authentication services.

The Emergence of Passwordless:

The need to go Passwordless has become a necessity when most companies agreed that passwords cause easy breach, phishing. Most password-less ecosystems today operate on a “Siloed Identity” approach. Now, Siloed identity occurs when there’s a one-to-one relationship between an issuer of an identity to a receiver. For instance, you sign-up with Google and Google issues a credential/key to your vault, then you use the key from your vault to sign-in into the application that supports Google. Sounds simple and most of the applications in the market today run this model.

FIDO - almost a decade old standard uses this one-to-one relationship approach using Private and Public Key pairs to make passwordless work. However, the problem still persists as FIDO is a replacement of password using a pairwise key or a passkey for every website. The user uses a suite of keys for every website or app. The breach of a key creates a direct vulnerability. And, further the management of such keys requires a secure vault where the user or issuer has to provision strategies to efficiently rotate such keys.

SSO(Single Sign-on) - is a new kid in the block which brings about a framework to use digital identities for authentication. The framework does so much more than just authentication, but for this article let’s stick to its relevance in authentication alone. SSO works on a “Two-Party relationship model” meaning there’s always a verifier and a holder of a credential. The verifier is a relying party (RP) who needs to allow a user to login. The user uses his or her credential or identity to present a zero-trust based proof to the verifier who then uses the proof value to allow authentication. SSO can even use an OpenID protocol to enable authentication.

How is SSO different from FIDO?

Security - SSO enables Zero Trust meaning there’s not one key for sharing proofs, every single attribute of a credential has a cryptographic seal. Now, the verifier can request any combination of credential or even group of credentials for a proof. The proof shared has no cross reference to the individual sharing the request. FIDO

• Convenience - In SSO the user logs in with his or her credential using ZKP (Zero Knowledge Proofs or simply Zero Trust). The approval for share can use any verification method but the credential proof is never the biometric itself. This helps keep the biometric or personal information away from the authentication medium but not compromising on the convenience of sharing.

• Privacy - SSO provides zero cross reference as no same DID pairs are used for proof presentations. It runs on ZKP providing the best privacy standard available in the world today.

• Scalability -SSO wallets are now growing and are already proving interoperability to cater high scalability and growth. With the advent of integrations with OpenID and standards such as OpenBadgeV3 the adoption will only get better.

I look at web3 as an era for the common people or the general users, it's no longer about corporates building software systems that a user consumes and shares his personal information with. It's now about the user to prove his identity and use a system and only share what he thinks is deemed fit. It's now interesting because it focuses on truly democratising the web and giving the power back to the users. The true power starts with managing identity and then using this identity for transacting on assets or simply communicating with one another or even social media.

Startups and large players have now started building solutions and marketplaces which enables trust in identity, asset and transactions (NFTs) in support of this paradigm shift of web3. For the web3 to succeed it truly requires an innovation around Passwordless and identity in general that provides a combination of interoperability, scalability, minimal cost and truly passwordless with no reliance on a person’s biometric information.