It’s no secret that passwordless authentication is taking over. Global tech leaders, such as Apple, Google, and Microsoft, are shifting towards using passkeys. Taking advantage of public-key cryptography, passkeys bring a near paradigm-shifting experience in digital security.
iThemes has been leading the way towards making WordPress and, ultimately, the whole Internet more secure and usable for everyone. The future is passwordless, and we are here to tell you why.
In this guide to passwordless authentication, you will learn how passkeys overcome the security vulnerabilities of password-based authentication and why you should start using them.
The Journey to Passwordless Authentication
The journey to passwordless authentication has already begun. All major browsers and tech giants have introduced full support for passkeys. 2022 has become a new milestone in implementing more consistent, secure, and easy passwordless sign-ins across multiple devices and digital platforms.
Every year, World Password Day, designated as the first Thursday of May, celebrates the new advances made in a joint effort to make the web more secure and usable for everyone. On May 05, 2022, Apple, Google, and Microsoft announced plans to expand support for the passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.
For years, FIDO (Fast Identity Online) Alliance and the World Wide Web Consortium have been working on a set of standards that will allow passwordless authentication to be implemented across the internet. FIDO 2 is the newest set of specifications, now supported by most browsers and platforms.
We will review how passwordless authentication works in more detail further in the guide. But before that, let’s see why password authentication is now gradually becoming a thing of the past.
Why is Password-based Authentication Left Behind?
Password-based authentication has been with us for almost as long as the internet exists, allowing the users to sign into a website or web application by using a credential pair – a username and password. This approach has proven its reliability and versatility and has been the industry standard for years.
However, despite its easy implementation and usage, numerous drawbacks and security risks associated with password-based authentication were quickly discovered on both the user and the server side. Simply put, both the users and the servers lack the capability to keep the shared secret secure.
The major security risks associated with password-based authentication are centered around using the password as the shared secret. This can become available to a malicious actor at different stages of the authentication process. Passwords can be breached or simply guessed due to a successful brute force attack.
3 Common Ways Passwords Get Exposed
Studies have shown that over 80% of all hacking-related breaches are attributed to password compromises. It means that at some point, the hacker managed to gain unauthorized access to the system by impersonating the rightful owner of a website or a web application. But how exactly do websites get hacked?
The most common ways passwords get exposed include phishing, brute force attacks, and data breaches. Users can be tricked into giving away their authentication information. Or passwords can be guessed or leaked in the event of a data breach on the service provider’s side.
Brute force attacks and data breaches
Brute force attacks are rising, accounting for approximately 80% of all network attacks. Since password guessing has been automated, it does not take much time for the attacker to crack any account.
The hacker’s machine (or even a network of computers known as botnet) can generate thousands of combinations per second. This allows the attacker to gain unauthorized access to a website or a web application in no time.
And if you are wondering why a hacker would attack your website, the explanation is simple. Hackers have the ability to make thousands of web requests per second. They rarely choose what websites they would like to break into – they will try to hack as many as possible.
Gaining administrator access to a website or even a whole server opens up almost unlimited opportunities for hackers to exploit the system. One of which is leaking user information, including usernames and passwords, from the application’s database.
Why Using Strong Passwords Won’t Address All Security Risks
Using strong passwords is absolutely essential and will provide a strong line of defense against brute force attacks. It is believed that using a strong password addresses all security risks. However, it can only decrease the chances of your credentials being compromised to a certain extent.
Only around 30% of users configure two-factor authentication. Without using multi-factor authentication, hackers are just one step away from gaining access to sensitive information.
Setting up one-time passwords, SMS verification, or any other type of 2FA is a great option to overcome most security vulnerabilities of password authentication. However, passkeys can make a real difference in the world of cybersecurity.
What Are Passkeys?
Passkeys are digital credentials powered by asymmetric cryptography that can fully replace password-based authentication. As a form of passwordless authentication, passkeys provide a faster and more secure way to sign into services and applications across multiple user devices.
Passwordless authentication allows you to get away from having to enter a username and password to sign in. Instead, your device will generate a passkey – a pair of cryptographic keys that a certain credential ID will identify.
How Passkeys Ensure Secure Authentication
Every passkey you create is unique and scoped to an individual website or web application. As there are no shared secrets or passwords that the user has to remember, passkeys provide full protection against phishing and brute force attacks.
Once a new passkey is created, the server will save the public key and the credential ID. The private key will be securely stored on the user’s device or a hardware security key such as YubiKey that you can carry around.
To support passkeys, the user’s device must have the Trusted Platform Module (TPM) security chip to perform cryptographic operations such as generating keys and a platform authenticator. The platform authenticator would usually support multiple types of identity verification, including biometric information and PIN codes.
Passkeys can also be automatically synced between the user’s devices via a cloud service. Therefore, you do not have to create a new key pair on other devices. Passkey syncing is end-to-end encrypted, and the cloud service will securely store an encrypted copy of the passkey.
Even if the public key gets leaked, it will be useless to the hacker without the corresponding private key. This eliminates any possibility of unauthorized access due to a data breach. There is no real way for a malicious actor to impersonate you.
How Do Passkeys Work?
The use of passkeys has become possible thanks to the development of asymmetric cryptography and several standards and protocols created by the FIDO Alliance and the World Wide Web Consortium. Let’s review how passkeys work in more detail by learning more about public key cryptography, WebAuthn, and Client to Authenticator Protocol.
Public Key Cryptography
Public key, or asymmetric cryptography, involves a pair of keys – private and public – that are used to encrypt and decrypt data exchanged by different parties. The private key must be kept secret while the public key is published online (or given to the server when a passkey is created).
Aside from passwordless authentication, asymmetric cryptography helps ensure end-to-end encryption to secure traffic traveling over the network. An SSL/TLS certificate has the private key installed on the origin server, while the public key is used to verify the identity of a website before establishing a connection.
Web Authentication API (WebAuthn) and Client to Authenticator Protocol
Along with Client to Authenticator Protocol, Web Authentication API is part of the FIDO2 framework, a set of technologies that make it possible to use passwordless authentication between servers, browsers, and authenticators.
WebAuthn, short for Web Authentication API, is a new specification developed by the World Web Consortium and FIDO that allows servers to implement passwordless authentication. Starting in 2019, WebAuthn is supported by all major browsers, including Chrome, Firefox, Safari, and Edge.
As an application programming interface, WebAuthn allows websites and web applications to register and authenticate users using passkeys instead of passwords.
Web Authentication works together with other FIDO standards, such as Credential Management and Client to Authenticator Protocol 2 (CTAP 2). CTAP 2 is an application layer protocol that specifies the communication between the browser, operating system, and a roaming authenticator.
Registering a Passkey
When you register a new passkey to authenticate, the server hosting the application will generate a challenge. Then, your device will create a new key pair, sign the challenge, and send the public key to the server, along with the credential ID.
The server will save the public key and the credential identifier to authenticate you the next time you log in. You can create multiple passkeys for each account for redundancy. This also helps for quicker account recovery in case the primary passkey is lost.
The private key will be saved to your device and securely stored there. The only way you can access the private key is by verifying your identity using a biometric sensor. This includes your fingerprint or facial patterns or a PIN.
The Process Of Passwordless Authentication
Once a new passkey is created for your account, you can leverage passwordless authentication whenever you need to log in to a website or an application. Instead of logging in with a username and password, you can choose to use a passkey.
The server will send the credential ID (or multiple IDs if you have generated more than one passkey for the account) and a challenge. Your device will then use the credential ID to find the right key and request you to validate your identity by using one of the authentication methods supported.
Once the key is unlocked, your device will sign the challenge and send it to the server for authentication. The server will verify the signed challenge using the public key from the pair and grant access to your account.
iThemes Brings Passwordless Authentication to WordPress
WordPress has always been a high-priority target for hackers all around the world.
The rise in the number of attacks on WordPress websites and the global malware volumes do not go unnoticed. As malicious attacks target more, website security is now more important than ever.
For years, iThemes has been looking for new ways to protect WordPress websites from ever-increasing security threats. Weekly WordPress vulnerability reports have helped us understand how to secure one of the critical areas of a WordPress website – its admin dashboard.
Passkeys are undoubtedly one of the most remarkable innovations in the world of cyber security. The increasing adaptation of passkeys across platforms and operating systems can change the internet forever. WordPress passkeys can make a real difference to WordPress security. And iThemes didn’t wait a minute longer to make passwordless authentication available to the WordPress community.
In September 2022, iThemes Security Pro included support for WordPress passkeys for passwordless authentication. Bringing the latest developments in cyber security to your WordPress website, iThemes Security Pro has taken a huge step towards a more secure and consistent authentication experience.
With iThemes Security Pro, passkeys for WordPress authentication are available across all types of devices. You can use a platform authenticator such as Apple Touch ID, Face ID, and Windows Hello, as well as any roaming authenticator.
Start Using Passkeys For WordPress
To start using passkeys for WordPress admin authentication, make sure to update iThemes Security Pro to the latest version. The option to enable passwordless authentication will be available from the Login Security tab. Once support for passkeys is enabled, configure passkeys for WordPress users from the admin dashboard.
If you are still not taking advantage of automatic WordPress core, theme, and plugin updates, it is time to start. BackupBuddy, an award-winning backup solution for WordPress, will help you build a strong backup strategy to handle all updates with confidence.
Running more than one website? iThemes Sync will help you manage multiple WordPress websites from a single dashboard, saving you time and money. Advanced monitoring, SEO metrics tracking, and integration with BackupBuddy and iThemes Security Pro – all available to you with your personal WordPress website assistant.
How Tech Giants Implement Passkeys
The three global technology giants – Apple, Google, and Microsoft – have led the way toward passwordless authentication across all major browsers and operating systems. Android, iOS, and Windows can now use powerful built-in platform authenticators and sync passkeys across multiple devices.
Apple
Apple has introduced passkeys with the release of IOS 16 and macOS Ventura, making passwordless authentication available to users across all Apple devices. Apple’s built-in authenticators, such as Touch ID and Face ID, authorize the use of passkeys in Safari and other major browsers.
Passkeys sync across all user’s Apple devices with the help of iCloud Keychain. When a user enables iCloud Keychain for the first time, the Apple device establishes a circle of trust and creates a new unique key pair stored in the device’s keychain. This way, iCloud Keychain provides end-to-end encryption with strong cryptographic keys.
Back in October, Google announced bringing passkey support to Google Chrome and Android. This was a major milestone in integrating passkeys into the ecosystem. On Chrome and Android, passkeys are stored in the Google Password Manager. The credentials are synced between the user’s devices signed into the same Google account.
In the future, Google plans to expand support for passkeys for Android. A new API will enable the use of passkeys for Android applications.
Microsoft
Microsoft has been leading the way in implementing passwordless authentication across the internet. Before 2022, support for passkeys was already included for Windows 365 and Azure Virtual Desktop.
Microsoft enables passwordless logins using Windows Hello, a robust platform authenticator now built into Windows 10 and 11. Microsoft’s implementation of passkeys is similar to Apple’s. It allows you to sync your passkeys between devices signed into the same Microsoft account.
Other Companies Using Passkeys
Several companies have already adopted passwordless authentication based on the standards developed by FIDO Alliance. PayPal, Amazon, eBay, Facebook, Netflix, and IBM are among the innovators bringing passwordless authentication to their platforms.
Wrapping up
Based on asymmetric cryptography and many powerful protocols and specifications developed by FIDO Alliance and World Web Consortium, passkeys can fully replace password-based authentication in the near future. The largest technology companies are gradually expanding support for passkeys. We can soon forget about brute force attacks and unauthorized access.
Following years of finding the right solution to provide a more consistent authentication experience, passkeys are here to simplify our lives and protect us. Should you already forget what passwords are? Not yet, but you definitely need to be ready to use passkeys.
The Future of Authentication is Passkeys! Login to your WordPress site with Biometrics only available in iThemes Security Pro
The problems of brute force attacks through credential stuffing, phishing attacks, and reused passwords have made our digital lives less secure. We’ve all tried to encourage 2-factor authentication as a protection, but less than 30% of users actually use 2FA. Password-based logins are a problem.
The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.
Kiki has a bachelor’s degree in information systems management and more than two years of experience in Linux and WordPress. She currently works as a security specialist for Liquid Web and Nexcess. Before that, Kiki was part of the Liquid Web Managed Hosting support team where she helped hundreds of WordPress website owners and learned what technical issues they often encounter. Her passion for writing allows her to share her knowledge and experience to help people. Apart from tech, Kiki enjoys learning about space and listening to true crime podcasts.
Keep reading the article at WordPress News | iThemes Blog. The article was originally written by Kiki Sheldon on 2022-11-15 11:47:17.
The article was hand-picked and curated for you by the Editorial Team of WP Archives.