Non-password authentication methods: theoretical advantages?
Can someone help me understand the major reasons why some of the more prominent alternatives (or supplements) to password-based authentication are more secure than passwords?
In addition to a general answer, it would be awesome if you could confirm, deny, or complicate my assumptions about this topic (which are mostly just based on speculation). To keep it simple for myself, I’m trying to compare everything to “normal” passwords as much as possible.
1. It seems like many common methods, like FIDO or the “authenticator” apps, involve a backup password, and the authenticator apps encode their backup info in a QR code.
2. Because of #1, to a first approximation, it seems to me like using an authenticator app is basically like having an extra-long password that you write down and carry around, but that you can enter quickly instead of transcribing it. The password is also recorded in a valuable notebook, so people are maybe more afraid of stealing it.
3. Because of #1, to a first approximation, it seems to me like using a FIDO-type method is basically like having an extra-long password that you write down and hide in a safe place, and can only be used (but not stolen) by someone who has your phone. (Unless they find your hiding place.)
Am I way off base?
Observing members:
0
Composing members:
0
4 Answers
Standard Password authentication can be easily cracked with brute force tools.
FIDO and other methods are more secure because they are 2 or 3 factor authentication methods that require you to have physical access to your phone, a fob, or an app. Even if they have your phone, they need to break through the password or facial recognition on the phone.
Fairly simple and can’t be cracked by someone remote to you. This removes the old method of writing down passwords in a book or on spreadsheet or even a crypt file.
Thanks @Forever_Free! That makes sense. But isn’t it true that FIDO and other methods usually have some kind of “backup key” that you hid somewhere?
Just to be clear: Even with my limited knowledge and perspective, I agree that these other methods are more secure than passwords. I’m just trying to get a simple understanding of “how different” they really are.
For example, I think usually when I set up an account on google authenticator, I get this alphanumeric thingy that’s like an alternative to taking a photo of the QR code. And I think that code keeps working even after a little bit of time. So couldn’t I just try to brute-force crack that thing?
“Brute force” breaking a password is only 5% of the breaks. https://www.imperva.com/learn/application-security/brute-force-attack/
“Some of the most commonly found passwords in brute force lists include: date of birth, children’s names, qwerty, 123456, abcdef123, a123456, abc123, password, asdf, hello, welcome, zxcvbn, Qazwsx, 654321, 123321, 000000, 111111, 987654321, 1q2w3e, 123qwe, qwertyuiop, gfhjkm ”
or use “Two-factor authentication—you can use multiple factors to authenticate identity and grant access to accounts.”
A complex password may need a billion or more attempts to break.
Thumb prints, facial recognition or retina would work too.
A developer can also greatly impede the ability to use “brute force” techniques by taking measures when more than a few guesses are made within a certain period of time. They don’t need to just indulge bots who try thousands of random passwords at inhuman speeds.
I think part of the recent fad for 2-factor ID is to get more people to use their mobile spy devices, so information miners can associate more accounts with their mega data from mobile phones and/or ZuckFace and/or Google, etc.
Answer this question 
Composing members:
0
