Why The World No Longer Needs Passwords

In today’s world every system we interact with, we need to identify ourselves. And How do we identify? Using id and passwords. This is a very effective solution but has its own caveats. First of all, passwords can be easily brute-forced using dictionary attacks. To circumvent this, we need to enforce strict password policies. Which means the password is generally not easy to remember and it needs to be changed every month or so. So now if you are interacting N number of applications you need to remember N number of not easy to remember passwords and need to change all of them monthly.

But as humans its a daunting task and we end up in using easy to remember passwords or the same password for multiple applications. And we rarely change them. Thus we are more prone to identity theft.

There are password managers however which are quite efficient in keeping your passwords secure. Some also use federated identity providers such as Google or Facebook. But for the sake of convenience, we are handing over our private data to these companies trusting our private data will remain private. But incidents like Cambridge Analytica or the data breach of Exactis proves us otherwise.

Also coming to think of it, the identification is always one way. We identify ourselves to the applications, but the applications do not. This lead to phishing attacks.

So then what is the next evolution in digital identity? Passwordless authentication! A lot of work has been made in the area of Self-Sovereign identity and verifiable credentials and I believe it is easy to use the techniques from this technology to build a passwordless authentication approach. This is how it can work.

The sign-up process will have the following steps:-

1. Any application be it a banking website or an entertainment website like Youtube can establish a secure connection with a user on registration. During this connection establishment, both parties identify each self to the other using a de-centralized identifier. This connection is made by scanning a QR code that the application generates. This identifier for a user is unique for each application. This connection is then persisted on both the user and the application side.
2. The application then issues a verifiable credential to the signed up user’s digital wallet using a schema that best suits the application needs. For example, the credential can contain even roles for authorisation process that after authentication can be passed as claims in a JWT token.

After sign up is completed, here is how the login flow should work:-

1. On login, the application again generates a QR code with a login key. On scanning of this code, the client identifies the persisted connection using the application’s DID and triggers a proof request flow by the application using the identified connection.
2. The application then asks the client to present the proof that it is a registered user of the application using the issued verifiable credential. The client passes the proof and the application after verifying the proof issues a JWT token through web socket or long polling identifying the client using the login key which is passed during the trigger of the proof presentation workflow.

So a user can now authenticate itself to N number of applications without the need to remember passwords. The user identifying data (verifiable credential) stays with the user in its digital wallet, thus keeping the user’s private data truly private. The application also saves cost on security infrastructure that it needed earlier to secure the user data and also protects itself from being the honey pot for data breaches.

This is a win-win situation for both. Enough of passwords! Let’s bring in the revolution for the next evolution in digital identity management and let's break away from the shackles of passwords.