A Tale of Two Keys: The Simple Explanation of Passwordless
How could having no password be more secure than having a password? Isn’t that like removing the lock on your door for the sake of convenience? For those familiar with the principles of asymmetric cryptography, the answer to those questions may be obvious, but for the rest of you I have written up an easy explanation.
It may seem obvious, but in order to explore better alternatives to passwords, we need to establish the reason for their existence. Passwords act as an identifier. They are used to establish that you are you. Having said that, there are many reasons why passwords are ineffective as an identifier.
Passwords are what is referred to as a “symmetric secret”, which means both sides of the exchange (the person entering the password and the application that verifies the password is correct) need to know the secret and have it stored somewhere. The person has it stored in their brain (although some may resort to sticky notes, spreadsheets, or password managers, but that’s another discussion) and the application has it stored in a database. When you read in the news about massive password leaks and data breaches, that is because someone nefariously accessed all the passwords stored within the database. This symmetry, the secret being known by both sides and having to be stored -- sometimes insecurely -- is the main reason passwords are such a major security issue.
The second issue with passwords is that they are not an identifier of you; they are an identifier of something you know. However, you knowing something does not prevent others from knowing that same thing. To make the point more clear, let’s consider two home security systems: One disarms when a magic word is spoken and the other disarms with a physical key. Anyone can overhear your magic word or even try magic words until they find one that works, whereas no one knows what your physical key looks like and they can not replicate your key unless they have it in their possession. So why would you trust a password to protect your banking information or email inbox? It’s just like a magic word that can easily be overheard.
Rather than a “symmetric secret” like a password, Beyond Identity uses what is called an “asymmetric secret.” The secret exists only on the side of the person trying to access the application and is never known by the application granting access.
This is done through the use of two keys, a private key that never leaves your device (your computer or mobile device) and a public key, which is made available to the applications you want to log in to.
This public key, despite its name, acts more like a keyhole than a key. Unlocked with a digital signature, known as a certificate (created using your private key), the public key can only determine whether the digital signature is capable of unlocking it or not. It can not see your private key and your private key can not be copied or derived from the public key.
This solves the problem of your secret being stored in a database that someone can access. Your secret is stored only on your device. Unless someone has access to and can unlock your personal device, they have no way to log in to your applications.
Taking this even further, not even the person logging into the application “knows” the asymmetric secret, at least not in the way they know a password. There is nothing you could write down or accidentally reveal to someone that would give them access to your accounts.
This method is commonly known as PKI (Public Key Infrastructure) and is not new in its usage as a verification solution. Although Beyond Identity has introduced the concept of the personal certificate authority, which allows PKI to be used to verify individual identity and replace passwords, the concept has been used to secure online transactions for decades in the form of SSL/TLS. Banks, e-commerce, and any website you have ever visited that have a padlock next to the URL are relying on TLS, which leverages PKI for verification.
In these instances, TLS, and the PKI that underpins it, is used to verify that the site you are visiting is actually the site it is claiming to be and not a fraud. Beyond Identity has adapted the same technology to verify that the user accessing an application is actually who they say they are.
On one hand, you have a password, which is stored both in your mind and in a database, as a way to identify that you are in fact who you say you are. On the other hand, you have a key that is securely stored within your personal device and nowhere else and can not be removed or viewed by anyone as a way to identify that you are you.
This is how not having a password can be more secure than having one. Rather than removing the locks on your house, you are replacing them with new locks that do not need magic words and that cannot be opened by anyone else.