• Nilesh Dhande

Password based Authenticator Vs Cryptographic Authenticator - 12 Things to know

Updated: Dec 18, 2020

Password based authenticators are a widely used means of authentication for digital services. Examples of password based authenticators include a password, a pin, a secret question and answer, a one time password (OTP), offline OTP, transaction password, CVV, VBV. The password based authenticators have inherent vulnerabilities leading to cyber threats and attacks.

An effective alternative to password based authenticators is Cryptographic authenticators to eliminate the vulnerabilities. The alternative is a cryptographic authenticator that is designed to be equally easy to deploy, use, and is scalable while saving money. This document elaborates the what, why and how of Pi-Control Cryptographic Authenticators.

Why Cryptographic Authenticators?

There are 4 reasons

  1. Because password based authenticators are vulnerable to cyber attacks, elaboration is in the text ahead in this article

  2. Because PKI based authenticators are only theoretically possible. Practically they are difficult to deploy, use, adopt, run and economically scale - and no one uses them

  3. Because cryptographic authenticators can be designed to be easier to deploy, integrate, use, and adopt, they eliminate the vulnerabilities of password based authenticators and complexities of PKI

  4. Because a well designed cryptographic identity based authenticator is also useful in doing provable consent, encryption and transaction e-signing, beyond authentication

Cryptographic Authenticator Vs Password based Authenticator

Password Authenticator vs Cryptographic Authenticator

Vulnerabilities of Password based Authenticator

Phreeking (Theft on Phone):

a. User gives away the secret, password, OTP, CVV to fraudster over a phone call

b. User authorizes transaction received as a payment link

Social Engineering:

a. Fraudster captures the password using tools

b. Fraudster guesses the password using user data

c. User shares it with the fraudster knowingly

Honeypot Attack:

a. User sets one password for all digital accounts, that gets compromised

b. Email/ document containing all passwords of user compromised

MITM: A fraudster sniffs the password through malware on machine or on browser or on router etc.

It has been more than a two decade since the digital beings are using passwords to lock the doors of their digital participants. The lock is old enough to be changed. Enterprises have been exposed to all the vulnerabilities mentioned above. Therefore it is time to upgrade the identity and access security game to a new level with mathematical science such as Cryptography.

  • Linked-In

©2020 by Fortytwo Labs LLP