Device-based Authentication

Author Avatar
LibraSkywalker Mar 08, 2018

Some people asked me why I would rather use iPhone SE which has a relatively small screen instead of one that has bigger screen. The reason is really simple. I consider my iPhone as my digital identity. It would be better that such a digital identity were extremely portable and convenient. Therefore, iPhone SE is definitely my best choice.

Nowadays, the mobile phone means much more than just a phone. It has a wide coverage for authentication, including messaging, shopping, enjoying offline services. It’s hard to imagine what lives will be without mobile phones. So, due to this fact, we can see a huge change upon the way to authenticate. Until now the most popular way to authenticate is password. It requires user to memorize their password manually. It seems reasonable, but is also tricky. There’re several situation that people’s password would be leaked.

  • users may a short password or a password with much semantic meaning.

The search space would be relatively small and easy to hack.

  • users may use same password everywhere.

It’s hard to trust all the service providers to protect your password like their own property.

  • users may even put their password on some password management software.

I cannot say whether such an action is safe or not. At least, It is hard to contruct a safe pipe from password manager to authentication area.

  • Caution!
  • Using clipboard isn’t a reliable method.
  • Using clipboard isn’t a reliable method.
  • Using clipboard isn’t a reliable method.

In most operating systems, the software don’t require any permission to get the information in the clipboard, it’s hard to say whether there is a software pirating clipboard on your computer.

In fact, most of modern authentication system won’t only count on password. There’s a method called two factor authentication which is widely used.

Two factor authentication has many implemenations. Some are RSA temporary passcodes, SMS temporary passcode, usb-keys, mobile phone in-app notifications, QR codes. In my opnion, it would be better that such an authentication require the device which is frequently used. You can say that usb-key is a good solution. However, if you don’t use them on purpose you will soon forget where they are. But if you consider cellphone as your solution, you would never forget it since you will carry it every day. There are some other benefits of using mobile phone as a two factor authentication device.

  • instant notifications.

Such a solution doesn’t require the application related to open all the time.

  • sandboxed software.

Unlike the computer, the software are sandboxed(at least in iOS) in mobile phone. It would be hard for a software to steal the authentication identity in another application.

  • mobility

People are using the cellphone everywhere in everytime.

Therefore I think cellphone is the best solution for authentication. In addition, the in-app notification may be the best way to provide authentication.

So, that leads to another important question. Why do we still need user to input the password? In my opnion, such an authentication pattern is redundent. People has to remember a complex string and type it in the blank to prove who their. It’s neither reasonable nor convenient. Though we have to admit such a solution is the best in the past. Since people could not have such a powerful “digital identity” and the recognition technology isn’t powerful enough to identify people’s features other than what they typed in the computer, the type-in password seems the best choice. However, these days have passed, we have a lot of ways to recognize other identity of a human. Also we have other forms of digital identity which provides a safer environment for people. I believe the only barrier to replace Password-based Authentication is the compatability. Many legacy codes, tools and softwares can’t upgrade their authentication to the latest one without entire revision. It’s the tough one to figure out.

In a word, the weakest point of security is human. It would be better for people to be less involved in authentication process, such an action would definitely reduce the chance of leaking informations. Therefore, I believe the Device-based Authentication has the reason to replace the Password-based Authentication. Though I believe password will still play an important part in authentication, I sincerely believe users shouldn’t touch it.