Demonstration of cross-browser passwordless authentication
Two apps published on GitHub, one that uses a nosql database (MongoDB), and one that uses an sql database (MySQL) demonstrate a simple method of cryptographic authentication that allows the user to log in without a password on any browser, in any device. Both can be set up on an Amazon AWS EC2 server. An installation script and set-up instructions are provided.
Demonstration of two-factor cryptographic authentication with a fusion credential
One-factor cryptographic authentication with a key pair has the security benefit of resisting both ordinary and man-in-the-middle phishing attacks, and the usability benefit of being passwordless. But a cryptographic factor is a possession factor, and as such is inherently vulnerable to theft of the device. For that reason it is typically used in conjunction with a second factor, such as a knowledge factor (a PIN or password) or an inherence factor (a biometric).
There are three methods of adding a second factor to a cryptographic factor.
- One is to use the second factor to unlock the first factor. This is often done in smart cards, such as the US Government’s Personal Identity Verification (PIV) card, which must be unlocked with a PIN or biometric before use, and FIDO2 credentials stored in platform authenticators, which must be unlocked by the same PIN or biometric used to unlock the device.
- Another one is to use both factors independently of each other. For example, the relying party (RP) could ask for a password in addition to verifying a signature on a challenge computed with the private key. This would provide protection against impersonation after device theft of following a successful MITM phishing attack. But it would leave the password itself vulnerable to phishing attacks, reuse at malicious sites and backend breaches.
- A third method is to combine both factors into a fusion credential where they protect each other and thus provide more security than if they were used independently.
As in the one-factor passwordless authentication demos, the user can log in on any browser in any device. But while in one-factor cryptographic authentication a different randomly generated key pair is used in each browser, in two-factor authentication the same cryptographic credential must be used in all browsers, because it must be fused with the same password. As explained in more detail in the blog post and in the README.md file of the repository, this is achieved without synchronization by generating the cryptographic credential from the email address and a rotatable master secret.