2.5 Alternatives to using password managers
This section is part of the amber pathway.
Using a password manager makes your life much simpler because, rather than having to remember a multitude of passwords, you only need to remember a single password and the computer does the rest.
But what if you forget that password? All of a sudden all of your passwords are unavailable. And what if your password manager’s data file falls into the wrong hands? You’d better hope your password is strong, otherwise all of your passwords are accessible to an attacker. But, what are the alternatives?
For an increasing number of websites it is possible to use your existing online accounts, such those provided by Google or Facebook, to register and log in. This approach for managing users’ account details depends on an authentication mechanism called OAuth (i.e. Open Authentication).
It is quite like having a third-party agency – Google, Facebook, etc. – vouching for your identity when you are transacting with a business associate. Based on that verification and endorsement the business associate provides you with services. Such an endorsement requires that you already be logged in with the third-party – Google, Facebook, etc. If you aren’t, you will be asked to.
This method of checking a user’s identity requires the website to ask the user’s computer for some proof that the user’s identity has been authenticated by the OAuth provider (e.g., Google). This requires the user’s computer to first contact the OAuth provider where the user can input their username and password. The OAuth provider provides a digitally signed token that confirms the user’s identity.
You will learn more about digital signatures in Week 5 of the course, but for now it is sufficient to understand that in this case the digitally signed token cannot be created or modified by anyone other than the OAuth provider. Once it receives the token all the website needs to do is to check that the signature on this token is valid to confirm the identify of the user.
So using OAuth can simplify your password management because all you need to remember is the username and password for your account with the OAuth provider. However, just as with password managers, if you forget this password you will no longer have access to any of the accounts. Additionally, if an attacker gets access to this password, they will be able to access all the online systems you are able to access using your OAuth account details.
So while password managers and online authentication services like OAuth can simplify the management of your online accounts, they are not complete solutions.
Next, you will look at another way of improving the security of the authentication mechanisms you use.