We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Passwords are so 1990 - Sam Bellen - PHP UK 2022
Join Sam Bellen as he explores the fate of passwords and introduces WebAuthn, a password-less authentication system using private and public keys, promising better UX, phishing resistance, and secured storage.
- Passwords are inconvenient and vulnerable to attacks, but will not be replaced entirely.
- WebAuthn is a password-less authentication system using private and public keys.
- YubiKey is a hardware authenticator that can be used with WebAuthn.
- Public keys can be given to third parties, but private keys should be securely stored on authenticated devices.
- WebAuthn has a better user experience, no need to remember passwords, and is phishing-resistant.
- Migrating from passwords to WebAuthn requires defining what a password is and ensuring user interaction is built into authenticated devices.
- Two-factor authentication using SMS messages or authenticator apps can still be used.
- Public keys are used to verify the user’s identity, but private keys are not.
- Private keys should not be stored in plain text.
- WebAuthn is a W3C recommendation, available in all modern browsers.
- It is still possible to use passwords with WebAuthn.
- Some devices, like iPhones, may use Face ID or Touch ID instead of passwords.
- Authentication processes, including step-up authentication, should be protected.
- Complexity of passwords is less important than length.
- Randomization and length are more important than complexity.
- Password managers can help remember and generate strong passwords.
- Authenticator apps can also generate one-time passwords.
- Confidentiality, integrity, and availability of user data should be ensured.
- shrugged