What?
They’re modern, more secure alternatives to passwords. They use public-key cryptography.
How?
- When signing up to the website, a public-private key pair is generated. The private is stored securely on user’s hardware.
- When logging in, server sends a challenge (just a large random number) to the user.
- The user signs the challenge with their private key.
- If the server can decrypt it with the public key, the user must own the private key (akin to proof of knowledge).
Benefits:
This brings a slew of benefits:
- Can’t be phished
- Resistant to replay attacks and eavesdroppers.
Why did this take so long?
You may be thinking, “Ok Leo, but asymmetric encryption has been around for a long time. Why is this only now popping off?“. Couple of reasons:
- Only recent adoption from device makers for cross compatibility
- Ease of use: Before, it would have been a pain for users to manage their private keys. But with Apple (and others) incorporating more intuitive UX, users simply have to use their fingerprint / FaceID to work.
- Consumer education is a big one.