We use passwords every day for logging into our favorite sites. We also hate to use it because these days almost all websites force users to create strong passwords that are difficult to remember.
In this article, I will not just talk about how beneficial passwordless login system is or how it can boost your sales overnight by providing a hassle-free login system but, I will also discuss how password still plays an important role, its advantages, and disadvantages in securing an application.
A little History of Passwords
If you think today is the worst day that you have to read the ‘History of Passwords’, believe me, it is yet to come because 2020 is still here. We do not know!
We started authenticating users with simple phrases. Back in days, users used to have simple passwords like ‘password’ and not worry at all. Later when hackers countless times managed to download the entire databases, with plain-text passwords stored in the database, hackers could easily get access to all users’ accounts.
Developers improved their systems by not storing plain-text passwords in the database. They started encrypting passwords using different hashing algorithms and even the encryption was not full proof. Fast forward to today, we have a pretty strong one-way encryption system that allows devs to hash a password.
With PHP’s functions like
password_verify(), developers can easily hash a password. To authenticate a user,
password_verify() function can compare the plain-text password provided by the user against the hashed password stored in the database. The function returns true if both passwords match else returns false. Developers do not have to do much work when implementing a secure login system.
But, as we all know, not a single system is completely immune to hacking. Even after a secure login system, hackers can still perform brute-force attacks to guess users’ passwords. We then countered it by implementing an anti-brute-force system where servers can block IPs that are trying to guess passwords.
Even after all these security enhancements, one thing that we can never get rid of completely is the users’ errors. For example, many times users set the same password on multiple websites and whenever a less secure website is compromised, that exposes all the accounts at risk who are using the same password to authenticate the user.
The emergence of 2FA aka. Two-factor Authentication
Two-factor authentication emerged as the final solution to fix all issues related to login security. In 2FA, a unique code (usually 4 or 6 digit number code) is sent on the user’s email id after providing the correct username and password. This step makes sure that the user who has provided the correct password is actually the owner of the account.
In starting, 2FA code used to be 4 or 6 digit number and it used to be sent on the user’s email id. Now for the hacker to login to an account, he not only needs to provide the correct username and password but also a 4 digit code that was sent to the user’s email address. To gain the authentication code, the hacker has to compromise the user’s email id.
But, there is a loophole in this system as well. If you see, not only login but the password-reset system works in the same way. To reset a password, a user has to provide the email id and verify his/her identity by entering the correct code or OTP sent on the email.
In 2019, an independent security researcher named Laxman Muthiyah discovered a weakness in the password recovery process of Instagram.
For recovering password of an Instagram account, a user receives a 6 digit code. The user has to provide the correct code to verify his identity. The 6 digit code sent on the email is valid for 10 minutes. First of all, there are 1 million possible combinations of digits making up 6 digit codes.
Theoretically, an attacker can brute force the endpoint that verifies the code. Eventually, with a medium-range brute force attack, hackers can guess the correct code and reset the password successfully. What makes this attack a little more complicated was the validity of the code. The user has to enter the code within 10 minutes otherwise the code would expire and the hacker would have to restart the process.
To work around it, Laxman Muthiyah tested the Instagram system further and found that Instagram does not block an IP address indefinitely that sends incorrect OTP. It temporarily blocks the IP. That means an attacker can use multiple computers, to be exact 5000 computers, to send 1 million OTPs within 10 minutes. Laxman also said that it may look difficult but with cloud services like AWS or Google, anyone can perform this attack by spending merely $150.
The attacker can create 5000 IP addresses and run automated-script to perform the attack. To evade the IP blocking system, he can switch between IPs. In $150, an attacker can reset the password of any Instagram account.
Secure 2FA System
What we learned from the Instagram case is that we not only need to have a system in place but a proper, more logical system. There have been numerous other cases where attackers managed to bypass 2FA. Honestly, we do not know the popular services we use, have really a strong 2FA system. If Facebook can mess it up, then anyone else can too.
Passwordless Login system
For sure users love to login to their online accounts as quickly as possible. But as a developer, it is quite irresponsible to only have a passwordless login system. Passwords do play an important role and today, we can easily store encrypted passwords in the database.
In passwordless login system, a user can log in just by clicking a URL. As I said users’ errors are impossible to get rid of. Developers can make users follow a system that forces them to be safe.
Built-in password managers in the web browser have helped a lot. Web browsers can save users’ passwords and auto-fill the password field when the user visits the website’s login page next time. So password systems are not that frustrating as they used to be.
Passwordless login systems are also common these days. It allows app users to log in to their account without having to type complicated passwords.
Though passwordless login system has its own disadvantages. It is a quick way to authenticate a user into an application, but as a developer, I also need to make sure the user’s email id is not compromised where the authentication URL is being sent.
In password systems, an attacker has to do some heavy lifting to get access to the target account. In passwordless login, the attacker only needs to compromise users’ email id. We have seen how malware can steal money from PayPal without any 2FA. So getting one link from an email account is also possible.
Make 2FA Mandatory for passwordless login and password login
At this point, you may not be able to think about which system to go with. The passwordless login system that’s quick or password login + 2FA?
What I think is that we can use the combination of both. We can provide the password system + 2FA and passwordless login + 2FA. In case, anyone manages to get access to users’ email id, he can not log in without completing 2FA. It is quick and secure.
Secondly, the 2FA system should be strong. It should be able to recognize a brute-force attack on a certain account and block IPs for a little longer.
Instead of developing our own 2FA system from scratch, we can use Google authenticator. Their system is easy to set up, easy to use, and secure. The OTPs are refreshed at a short period of time that eliminates the possibility of brute-forcing the endpoint.