In some ways, the term “passwordless” is a misnomer. Yes, it’s a password-less authentication method, greatly streamlining the login experience, and while that’s a great incentive to use passwordless for logging in, it’s not an improvement in authentication security in and of itself. By Jeremy Erickson.
To prevent phishing, there are a few general properties that your authentication solution needs:
- No Shared Secrets is the property that secrets are never shared and are always kept local to the authenticator device
- Origin Binding is the property that the site you (as a user) are attempting to log in to must match the domain, or origin, of the site you’re actually on
- Channel Binding is the property that the communication channel from the authenticator to the website must be strongly tied to the browser session attempting to authenticate
The article then looks in depth into how WebAuthn and FIDO2 implement these properties and provide a very robust resistance to phishing. Excellent!
[Read More]