Got it
Huawei Enterprise Support Community
Community Forums Security
Passwordless authenticati...

Passwordless authentication and its advantages

Latest reply: Oct 29, 2021 05:32:12 1353 39 17 0 0
View the author 1#

Recently, Microsoft announced that users can access their consumer accounts without providing passwords and using more secure authentication methods. Liat Ben-Zur, Corporate Vice President expressed high approval for using passwordless methods. So, what is passwordless authentication and what advantages does it provide?

passwordless authentication

What is passwordless authentication?

The combination of the username and password, as the traditional authentication method, is now more and more become the bottleneck of the user experience. For security consideration, more and more companies request the consumers to set their password complexity, mixing the uppercase and lowercase letters, numbers, symbols, etc. Though that helps against the hackers, it also confuses the consumers' brain.

passwordless authentication

To resolve that annoying scenario, passwordless authentication is proposed.

Actually, you may have used passwordless authentication before you know it. The most widely used passwordless authentication is fingerprint and facial recognition that is widely spread with the smartphones inventory growing.

Advantages of passwordless authentication

Compared with traditional authentication, passwordless authentication uses biometrics, such as fingerprint and facial recognition, or other forms of identity verification compatible with FIDO2 specifications, such as YubiKeys or Titans for identity authentication. The biometrics password brings not only the convenience but also higher security.

passwordless authentication

Passwordless authentication doesn't equal to insecurity, on the contrary, passwordless authentication is more secure. Generally, we believe that there is no same biometrics for any two human beings. The unique biometrics give the unique password during the identification. In addition, biometrics is much harder hacked than the combination of letters, numbers, and symbols. What's more, passwordless authentication is the best way to solve password fatigue, it doesn't require you to modify the password every month.

How to log in without a password?

Traditionally, when you register on a website, you are requested to fill in the password and username, which helps the server to identify yourself. Once you submit the information, you have to trust the server that it wouldn't leak your username and password to others, otherwise, your data may be lost unconsciously.

With using passwordless authentication, there is no need that you have to trust the server unconditionally.

Passwordless authentication uses the public key certification. The public key certificate uses a pair of encryption. One is the public key, and another is the private key. The public key can be accessed by anyone, and it is used to encrypt the content. The private key is accessible only to the owner, it is used for the decryption.

The public key certification includes two processes:

Both the server and the client have their own public keys and secret keys. For ease of description, these symbols will be used below.

Ac: Client public key

Bc: Client key

As: Server public key

Bs: Server key

  • Session key (session key) generation

  1. The client requests to connect to the server, and the server sends As to the client.

  2. The server generates a session ID (session-id), sets it to p, and sends it to the client.

  3. The client generates a session key, sets it to q, and calculates r = p xor q.

  4. The client encrypts r with As and sends the result to the server.

  5. The server uses Bs to decrypt and obtain r.

  6. The server performs the operation of r xor p to obtain q.

  7. So far, both the server and the client know the session key q, and all subsequent transmissions will be encrypted by q.

  • Certification

  1. The server generates a random number x, encrypts it with Ac and generates the result S(x), and sends it to the client

  2. The client uses Bc to decrypt S(x) to get x

  3. The client calculates the md5 value n(q+x) of q + x, where q is the session key obtained in the previous step

  4. The server calculates the md5 value of q + x m(q+x)

  5. The client sends n(q+x) to the server

  6. The server compares m(q+x) and n(q+x), if the two are the same, the authentication is successful

And the whole process is drawn as below:

passwordless authentication


The post is synchronized to: Routing & SwitchingWLANNetwork Manager&SDNPartner Technical Support Services GroupMiddle East Engineer Technical Group

Like (17) Dislike (0) Favorite(0) Share Report
Previous: Eudemon - 1000E - Logs
Next: USG6350 upgrade
(1) (0)
2#
IndianKid
Moderator Author Created Sep 25, 2021 06:57:52

Very useful post, Thanks for sharing, well done my friend
View more
  • x
  • convention:

user_4396693
user_4396693 Created Oct 16, 2021 05:38:55 (0) (0)
 
(1) (0)
3#
user_3787126
Created Sep 26, 2021 06:32:42

Nice!
It's more convenient to use the fingerprint to log in than the password.
View more
  • x
  • convention:
(3) (0)
4#
chenhui
Admin Created Sep 26, 2021 06:34:25

@umaryaqub @Vien @shakeela @AliBinHussain @DragonVN @mustafa211 @Unicef @mrom @Abdussamed @fatt @user_4147187 @viettel @Anno7 @Diego.Silva @Alibaba8000 @abdul_basit7233 @smileymind @kita @Malik3000 @gho_ah @Sara_Obaid @Peterhof @Ihteshamraza @sohaib.ansar @andersoncf1 @cmarban @csk99 @lucian2003 @mahynour @Majdi.Chebil @daniellima @E.DR_91 @sachandio What do you guys think about the passwordless authentication?
View more
  • x
  • convention:

umaryaqub
umaryaqub Created Sep 26, 2021 08:06:50 (0) (0)
Thanks for the invite  
shakeela
shakeela Created Sep 26, 2021 16:56:07 (0) (0)
 
AliBinHussain
AliBinHussain Created Sep 26, 2021 17:03:30 (0) (0)
 
user_4147187
user_4147187 Created Sep 27, 2021 00:41:50 (0) (0)
 
cmarban
cmarban Created Oct 4, 2021 22:31:19 (0) (0)
I think that there is a necessary and useful because enhance the security  
(0) (0)
5#
umaryaqub
MVE Created Sep 26, 2021 08:07:59

This is quite unique and new. But at the same time, very useful. Now that we have multiple accounts for work, social, personal stuff, it is really tough to manage all the same. With this, it'll be relatively easier to manage all that.
View more
  • x
  • convention:

chenhui
chenhui Created Sep 27, 2021 01:04:41 (0) (0)
Can't agree more, massive passwords and usernames always confuse me. :(  
umaryaqub
umaryaqub Reply chenhui  Created Sep 27, 2021 09:06:13 (0) (0)
Single sign-on was the option but this passwordless tech is much better  
(0) (0)
6#
Majdi.Chebil
Author Created Sep 26, 2021 09:18:31

Passwordless authentication is great and very useful for everybody but I am sure it has some vulnerabilities. Waiting for your next post tanking about the vulnerabilities.

Thank you for this great post!
View more
  • x
  • convention:

chenhui
chenhui Created Sep 27, 2021 02:58:30 (0) (0)
Thank you! The greatest threaten of passwordless authentication, I think, is the real privacy disclosure.  
(0) (0)
7#
shakeela
Created Sep 26, 2021 16:56:17

Cool Topic
View more
  • x
  • convention:
(0) (0)
8#
little_fish
Admin Created Sep 27, 2021 00:42:39

Advantages of Passwordless Authentication
Passwordless Authentication Improves User Experience.
You Don't Need to Worry About Password Theft.
Passwordless Authentication Solutions Protect Against Brute-Force Attacks.
Passwordless Authentication Strengthens Your Organization's Cyber Security Posture.
View more
  • x
  • convention:

chenhui
chenhui Created Sep 27, 2021 02:58:54 (0) (0)
Great supplement!  
(0) (0)
9#
NTan33
Created Sep 27, 2021 03:38:37

A very interesting development to take note of.
View more
  • x
  • convention:
(1) (0)
10#
sim_157
Created Sep 28, 2021 08:18:56

+:. This is very useful!
BTW, Can you share more? (That would be better)[_]
View more
  • x
  • convention:
123
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.