"Passwordless" Authentication: A new paradigm in enforcing authentication and encryption...
The previous year has gone by and it reflected on the vulnerabilities associated with passwords and other security breaches.
Notably, this involved the Gawker Media password dump and the WikiLeaks data theft.
And that made me reflect on if we can have a world without passwords, and yet still secure identity and information.
I ventured into this minefield exactly two years back, and invented an innovative solution that I thought could change the way people are identified online and their information secured.
The concept can be simply described as follows:
1. Do not store the password or key on the server or the client device.
2. Do not to prompt the user to define or enter passwords.
3. Encrypt information before storing it on the server by using a seed that is not stored anywhere, but is generated in real time.
Instead of storing the password on the server, one can encrypt and store the user identity or username using a real time generated password, either by using a hashing algorithm or a device-locked password generator.
The password itself need not be stored on the server, as can be seen from the following diagrams:
Once the user is registered, he or she can be authenticated as follows:
If websites or online services employed a "passwordless" authentication, it will help mitigate many of the current vulnerabilities, such as the one experienced by Gawker Media.
Even if the server data is hacked, it does not contain the password, and without it the encrypted information would be meaningless.