Passwords are one of the Internet’s weak links. A secret doesn’t stay one for long if you have to share it often, and passwords are, by definition, frequently shared secrets. While not all passwords are created equal, and some are harder to steal than others, particularly if you change them often, the fact that using them requires sharing them exposes them to risk.
Two-factor authentication offers an alternative. To authenticate to a web server that requires two-factor authentication, a user enters a password and then further proves their right to access the site by providing additional evidence of their identity. They might enter a passcode that changes periodically, or they might scan their fingerprint, or they might respond to a push notification or answer an automated phone call. These are the second factors in two-factor authentication, and they help a website go beyond accepting and checking entered passwords to challenge would-be users to prove their possession of something: a passcode, a phone number, or a biometric. Not only does the user prove they know something; they also prove they have something.
Unfortunately, some websites have implemented two-factor authentication ineffectively. Some sites require the user to enter their username, their password, and their second factor – a passcode – all at one time on the same login page. The problem with this is that a hacker could set up a rogue website that attempts to copy the legitimate site. Perhaps they lure their victims to the site through a phishing email. The misled user then proceeds to enter their username, their password, and the passcode they retrieved from a text or a phone call into the fake site. Instead of giving the user access to the site they were expecting, the fake site steals the credentials the user entered and immediately uses them to log into the real site on the victim’s behalf. Once in, they can change the victim’s password or other account information, and they can snoop around the site, gathering the victim’s private data.
So, rather than require the user to enter a passcode that was sent in text, other two-factor options require the user to possess a physical device. The authenticating device could be a USB dongle, or it could be an app on their phone that receives a push notification that must be acknowledged. If the user attempting to access the site doesn’t possess the required device, they won’t receive the challenge they need to answer, and so they will not be permitted to access the site. These solutions work better than requiring the user to enter a passcode, since the passcode could be captured by someone impersonating the site. Instead, by virtue of possessing something no one else in the world does, a legitimate user can access the site, whereas an illegitimate user, lacking the required device, can’t.
Many vendors provide two-factor authentication products that require additional login devices, including Symantec, Yubico, and Duo. Lacking a standard implementation, various providers of two-factor authentication devices have created different ways of providing the service and integrating it with websites. Fortunately, after years of review, the World-Wide-Web Consortium (W3C), an industry group that reviews and approves the technologies that enable the web to function, ratified a standard called WebAuthn. Like all Internet standards approved by the W3C, the WebAuthn standard explains, in explicit detail, how device-enabled two-factor authentication should work, how compliant websites will support it, and how backup mechanisms that must enable the user to login when they temporarily lack access to the authenticating device will function. Although there have been some noteworthy early adopters such as Dropbox and Microsoft, the fact that WebAuthn is now a standard with clear requirements for how it should be implemented will likely accelerate its adoption.
While users can choose strong, hard-to-crack passwords, such secrets remain a weak link because of how often they are exchanged how easy it is to trick someone into divulging them accidentally. By requiring users to prove they own something rather than that they merely know something, WebAuthn promises a more secure, password-free future.