passwords cryptography webauthn: Updated Tue, 27 Sep 2022 08:42:25 GMT

Why did WebAuthn beat PAKEs as the preferred password replacement?

Apple and now Google are releasing products that are built on WebAuthn as a replacement for traditional username + passwords. Why did this technology beat out PAKEs?

Solution

Webauthn and PAKE solve different problems.

Authentication using PAKE is still authentication with a password. The problem that PAKE solves is that with traditional password authentication, you have to send your password in clear text to the server, so if an attacker can either spy on the communication or impersonate the legitimate server, they can learn your password. With PAKE, the data exchanged over the network allows the server to learn whether the client knows the password, but it doesn't allow an eavesdropper to learn the password. This can be beneficial even if the network traffic is protected by TLS or similar, because sometimes the network traffic is propagated through multiple points that have access to the clear text, for example, load balancers. Some PAKE algorithms (known as augmented PAKE) have the additional property that the server doesn't learn the password itself, so if the client uses the same password on two different systems, someone in control of server1 still won't be able to log into server2.

Webauthn allows getting rid of passwords altogether. The idea is that rather than authenticating by proving that you know a password (what you know), you authenticate with the help of some local device (what you have). This eliminates the problems with passwords, in particular the problem that users are bad at choosing passwords. It also reduces the risk of phishing, because Webauthn and similar protocols have some protection against phishing (by trying to make the data sent to the server useless to a third party, although I don't know to what extent Webauthn succeeds there). The cost is that authentication then becomes tied to a specific device (so if you lose your device, or your device gets compromised, it sucks to be you).

The only thing that both Webauthn and augmented PAKE do is to reduce the risk that the authentication is subject to phishing. But that's not the main argument against passwords, so PAKE wouldn't replace the goals of Webauthn.

Comments (2)

+4 – WebAuthn also authenticates the server ("origin"), which PAKE doesn't, and which humans are understandably much worse at than the WebAuthn authenticator+browser combo is, eliminating an entire class of "site lookalike" and MITM phishing. There's also nothing that prevents WebAuthn from being used as an additional factor, rather than getting rid of passwords altogether. — Aug 25, 2022 at 21:49
+0 – Doesn't the load balancers already on the target site that can open the TLS encryption? — Aug 26, 2022 at 10:42

External Links

External links referenced by this document:

References

https://security.stackexchange.com/questions/264351