Blockchain Semantics Insights
Business Case | Deep Tech | Announcements | Blockchain Glossary |
Passwordless Authentication using Cryptography on BlockchainFeb. 28, 2018, 9:23 a.m. GMT
It feels like almost every day there is another data breach making the headlines. From banking to social networking, a person spends more than 6 hours online every day on average. However, most of the websites we use daily are based on traditional web-login system which are vulnerable to attacks if not properly secured.
Famous attacks on traditional web logins
- 56 crore identities were compromised in the WannaCry ransomware attack in 2017.
- Almost 17 million Zomato email addresses were compromised on May 25, 2017.
- 5 Million Gmail passwords were released online in 2014.
- Apple’s ICloud login system was compromised which leaked infamous celebrity photos.
Why are traditional web-login systems vulnerable?
Security breaches on traditional systems happen because websites store user credentials on a centralised server. This centralized database if hacked allows unwanted access to all the user information at once. Other points of failure arise from the passwords being short, overly simple and too easy to guess. Most of the passwords are a simple combination of common information like name, birthday, mobile number etc. Also most of the passwords are reused on other websites. Thereby if a hacker knows the login credentials of one website, chances are high that he might be able to gain access to a different website also.
Elliptic Curve Cryptography to the rescue
Cryptography tries to eliminate these vulnerabilities using passwordless authentication. It gets rid of authentication using a centralized server mechanism. Instead a passwordless login is used leveraging the concept of public key and private key.
Doing away with the traditional login system with cryptography based login means there is no potential central target for the hackers. As a result, this leads to increased trust between the consumers and businesses. Consumers are no-longer required to submit sensitive personal information to the websites. Businesses no longer need to spend millions in securing user data.
How does it work?
Passwordless authentication using ECDSA requires the user to sign a message with his private key. A digital signature is then created by taking a cryptographic hash of the message and operating it mathematically using private key. Once the signature is generated, it is passed on to server. On the server side, the signature can be decrypted to extract public key and verified that the public key actually hashes to the address used to sign the message itself. Once authenticated, the user can be allowed to access the website.
Common attacks will fail against this technique as there is no central server where the login information is stored. The only way a hacker can impersonate the user is by gaining access to the private key. But ECDSA algorithm involves a source of randomness each time signature is generated. This randomness factor makes it almost impossible to figure out the private key by the attackers. Therefore it can be safely said that passwordless authentication is the future of internet, if you care about security.