DEV Community

Vansak Choi for KOSIGN

Posted on

Guide to Web Authentication

A better alternative for securing our sensitive information online

https://webauthn.guide/

Top comments (4)

Collapse
 
andreidascalu profile image
Andrei Dascalu

Difficult to take seriously an article built in misconceptions.

  1. A password identifies you : nope, a password doesn't identify you. A username identifies you. A password authenticates you. You need both.

  2. A password is a shared secret: the definition of a shared secret varies just slightly depending on whom you ask. In cryptography it refers to (usually) a key that decrypts communication that is known by two parties involved. As such, it must be accessible as-is to both parties. A password in common usage is not known to both parties, it's known only to you. The party that authenticates you doesn't need the password, they need to infer equality from a cryptographically secure hash (since they have no use for it in order to do anything beyond a match)

Collapse
 
vansak profile image
Vansak Choi • Edited

I think password can identify oneself. because, in the present, there are so many password to remember and user tends to make simple password has some patterns easy to hack.

Collapse
 
andreidascalu profile image
Andrei Dascalu

yeah, but you don't use just password to login. It's the combination of user + password that needs to match.

There are 3 different concept involved:
identification - know which user you're dealing with. That's the purpose of a username. It identifies you uniquely. Several people might have the same password, so the password alone doesn't do anything. Some platforms can have several conditions for identification (eg: see AWS where to login as an IAM user you need to know the account number + your username)
authentication - for an identified user, verify that they are who they say they are. That's what a password does.
authorization - for an authenticated user, what can they do ?

Collapse
 
techyez_com profile image
Techyez

nice