Let’s face the facts: it’s 2023 out there, and passwords are becoming obsolete as authentication methods. This was unimaginable a few years ago, but it’s happening. There is no other choice but to adapt or become forgotten. The tech industry doesn’t have any mercy on nobody.
So, why is it happening? How can something so reliable a few years ago become obsolete? Well, if you look closely, the mystery is actually pretty easy to solve. First and foremost, passwords can be vulnerable as long as the user doesn’t waste too much time creating a strong password. A lot of people are in a hurry trying to secure their accounts and will therefore choose weak passwords that they can remember. It’s a shame, indeed, considering that plenty of browsers and password managers can remember passwords for us.
Three passwordless authentication methods
There are plenty of methods of authentication without passwords that users can choose. Let’s consider three of them: host-based authentication, certificate-based authentication, as well as SSH key authentication.
Instead of choosing a username and password, certificate-based authentication will take advantage of a certificate authority (CA) to verify the identity of the user. The user will regain access once he gets verified by his certificate signed by the CA that’s trusted.
When it comes to SSH key authentication, the private key is held by the client and kept secret, while the public key is shared and can be used to encrypt messages that the private key can decrypt. Once the public key is placed in the authorized_key file within the target server, the user is associated with the public key. Upon the authentication stage, the server generates a message encrypted with the public key and sends it to the SSH client, which is decrypted by the private key held by the user (SSH client).
Host-based authentication, as its name suggests, will allow hosts to be authenticated by some of the host users. To enable host-based authentication, the SSH client and server must be prepared, and files must be configured on both sides. Once the client is populated with the server’s public keys and the system-wide configuration is set up, the client system’s personal host keys can be configured. On the server side, files must be modified to enable host-based authentication and allow for host public keys from the client.
Each of the three passwordless authentication methods mentioned offers incredible benefits, such as cryptographic strength, additional information input, and fleet access.