Password based Authenticator Vs Cryptographic Authenticator - 12 Things to know
Updated: Dec 18, 2020
Password based authenticators are a widely used means of authentication for digital services. Examples of password based authenticators include a password, a pin, a secret question and answer, a one time password (OTP), offline OTP, transaction password, CVV, VBV. The password based authenticators have inherent vulnerabilities leading to cyber threats and attacks.
An effective alternative to password based authenticators is Cryptographic authenticators to eliminate the vulnerabilities. The alternative is a cryptographic authenticator that is designed to be equally easy to deploy, use, and is scalable while saving money. This document elaborates the what, why and how of Pi-Control Cryptographic Authenticators.
Why Cryptographic Authenticators?
There are 4 reasons
Because password based authenticators are vulnerable to cyber attacks, elaboration is in the text ahead in this article
Because PKI based authenticators are only theoretically possible. Practically they are difficult to deploy, use, adopt, run and economically scale - and no one uses them
Because cryptographic authenticators can be designed to be easier to deploy, integrate, use, and adopt, they eliminate the vulnerabilities of password based authenticators and complexities of PKI
Because a well designed cryptographic identity based authenticator is also useful in doing provable consent, encryption and transaction e-signing, beyond authentication
Cryptographic Authenticator Vs Password based Authenticator
Vulnerabilities of Password based Authenticator
Phreeking (Theft on Phone):
a. User gives away the secret, password, OTP, CVV to fraudster over a phone call
b. User authorizes transaction received as a payment link
a. Fraudster captures the password using tools
b. Fraudster guesses the password using user data
c. User shares it with the fraudster knowingly
a. User sets one password for all digital accounts, that gets compromised
b. Email/ document containing all passwords of user compromised
MITM: A fraudster sniffs the password through malware on machine or on browser or on router etc.
It has been more than a two decade since the digital beings are using passwords to lock the doors of their digital participants. The lock is old enough to be changed. Enterprises have been exposed to all the vulnerabilities mentioned above. Therefore it is time to upgrade the identity and access security game to a new level with mathematical science such as Cryptography.