Hi folks! So today we're going to talk about registration. Specifically, all of the things that are wrong with registration conducted with a password.
So, what you're seeing here is a very standard sign in page, right? Username. Password. So, what's wrong here What's wrong with this picture? Well, a password on the user experience front might require capitalized letters, special characters, or even numbers. Which is the first step that a user would have to jump through.
Then you might say, oh, I don't want my users to use previously breached passwords. So then the user might say, oh, man, okay, I have to use another one. And if you want to add additional security, you might say, okay, give me a security question, or I'm going to send you a one-time code to your phone. All of these steps represent potential friction points where the user could drop off. And remember at registration, this is a completely new user. Which means that if they don't convert and activate as an engaged user on your platform, you could lose them forever. So, user friction is obviously a really big deal when it comes to registration.
At the same time on the security side, the password is fundamentally insecure. Why is it insecure, right? So the password is insecure because it is a shared secret. A shared secret means that it can be distributed among many parties. A user might choose to keep it on a sticky note where people can see. You know, as they're typing, there might be keyloggers that are capturing their keystrokes. Passwords, one time codes are easily and frequently phished, right? So all of these are security vulnerabilities associated with the password. Again, as inherent in the nature of a shared secret, you have to store it.
So here is your database. You necessarily have to store this password because that is how you're authenticating a user. So, Beyond Identity looked at this and said, You know what? Enough is enough! What if we eliminate the password completely and shared secrets completely? So that what you get instead is asymmetric cryptography, leveraging public-private key pairs across every single device. What happens to the user experience? The user no longer has to jump through all of these hoops, instead, they can just get started and your application! Right? And your security team will be much happier for it. Right? Because the shared secret is eliminated, there's nothing to store and what doesn't exist cannot be stolen, cannot be logged and cannot be phished! Right?