Check out a free preview of the full Web Authentication APIs course:
The "Multi-Factor & Passwordless Authentication" Lesson is part of the full, Web Authentication APIs course featured in this preview video. Here's what you'd learn in this lesson:

Max talks through the process of using multi-factor authentication. Typically this strategy requires the use of an SMS message, authenticator app, or other device to validate a user's credentials. Passwordless authentication systems are a more secure solution since they remove access points for password theft or phishing exploits.

Get Unlimited Access Now

Transcript from the "Multi-Factor & Passwordless Authentication" Lesson

>> So then to one of the solutions that appear with time to solve the problem is multi-factor authentication. It started with two factor but then multi-factor. So in this case, it's actually the same thing. So we send the password, okay? But as we know the password is not secure enough, we add another authentication factor.

[00:00:21] It can be an email address, so I send you a code through email after you give me your password, so then I will check, okay, so it's the password that you know but also something that you should have like access to your email account. Or your SMS or a USB key like a YubiKey or where you can store there are some data.

[00:00:49] So all of these are multi factor authentication in that case, you will generate the code, okay? Apart from the secret password, and that code will also travel to the server to increase security, okay? But it's not perfect. It's still not perfect. I mean, for example, I'm not going to say which company but, so I have a SIM card, so I'm from Argentina, so my SIM card is from Argentina, from an Argentinian company, but I also have a US SIM card.

[00:01:22] And one day I lost that SIM card, it didn't work anymore, so I went to an office and I got a new one. They didn't ask me for anything, not even my passport, just the phone number. So I gave them my phone number and they gave me a SIM card.

[00:01:36] So if I could do that, yeah, I was the owner but they didn't check that. Anyone can do that. So they can easily get your SIM card and then they will get your SMS code instead of you. And there a lot of now scams over WhatsApp also to do that.

[00:01:55] So, it's complicated, but maybe, they're calling you. So if you pick up the call, when they're calling you because you have the phone line used, they are sending you a WhatsApp code, by call as well. But because you are using the phone line, that code goes to your mailbox, your phone mailbox.

[00:02:20] So then someone get into your mailbox and get the code. And with that weird situation, they're stealing your WhatsApp. And when they do that they send messages to your friends asking for money or something like that, okay? Anyway, weird situations happen, so it is still not perfect. And the worst part is that it's adding a lot of friction in the user experience.

[00:02:43] Because you log in and then you need to find your, where is my key, my USB key because, I need to open my authenticator app. Look for my code, okay? And it's adding friction to the login experience. So user experience becomes a problem and the risk is still there.

[00:03:00] So that's why we are arriving to a passwordless experience. With password less secure experience at least. What we're going to do is we're going to have a pair of, public and private key, okay? The private key will be stored safely within your device, okay? It's not something that you know, so, it's a secret, but it's not something that you will write down in a piece of paper.

[00:03:31] You could actually as you can write down the private address of your crypto wallet but, yeah, it's not common, no one's going to do that, okay? So you use a USB key for that, or modern devices can actually encrypt the data with your fingerprint or with your face recognition.

[00:03:53] But it's not 100% secure. For example, with face ID, so there are one every 10,000 people that will actually log in in your phone with a different face. The problem is finding that person, okay? So it's not so simple. Finding the person that it's actually so similar to your face that can actually log in your into your phone.

[00:04:22] So it's still considered already secure, okay? So, well, in that case, that private key will be stored in your device encrypted by your fingerprint or by your face. And the public key will actually travel to the web server and to the database, okay? That's how typically passwordless work.

[00:04:48] And yeah, what happens now on different situations such as if an attacker gets access to your server they will get your public key that is public so yeah, okay, go ahead, take my public key, nothing will happen. You cannot login with the public key. You need the private key, not the public key.

[00:05:13] And also because the user actually doesn't know the private key, they cannot get to link on the phone. I cannot give the private key on the phone. Or if I go to a phishing website, so here, we don't see the whole encryption details in this diagram, but the private key is stored with your fingerprint, with your face, or with the USB key, and also with the origin of the website, okay?

[00:05:44] So, that private key won't be taken out of the secure storage if you're in a different origin, in a different website. So with phishing doesn't work with this, because when you go to a website that is a different URL, the browser will not give that website the credential, the store credential.

[00:06:07] Even if it's the same user. Even if the user is using the finger or pointing the face, it's not gonna work because [INAUDIBLE] says, no, I'm sorry, that's not the website. So the credentials that we created were for not with paypaI, with instead of an L and capital I, okay?

[00:06:27] So it will say, no, I don't have credentials for their website. So this is not 100% secure, but much more secure than the previous flaws, okay? Make sense? Do you have any question? Is this available on the web today? Yes. We are still not in the position that everyone is using it.

[00:06:58] In fact, think about yourself as a user. In how many websites are you logging in with Face ID or Touch ID or USB key? Probably not a lot. Unless you are in a high security environment, like you are managing the accounting on a large company, so actually you have access to the bank account with $100 million, so accessing to that website is really high security.

[00:07:27] So typically you have a USB key, and maybe that USB key needs your fingerprint. But if it's just a website for gaming or something like that, okay? You're not logging in with these technologies. But it's time to start moving to these technologies because they are there. From a user experience point of view, they are actually easy to use.

[00:07:55] We will see that later.