In the 2nd episode of the SAWO champ program, I would like to highlight one very interesting activity that was done with every champ. We had to answer a set of questions on Reddit, Quora, and StackOverflow. Every champ was assigned one particular platform and also were presented with the specific posts where we had to pen down our thoughts.
I was presented with Reddit. Now, my first reaction when I saw the questions I had to answer was this:
But hey, Pooja the SAWO developer champ doesn't give up that fast. I tied my shoe laces, tied a headband around m forehead, got my juice box and I was ready to explore the vast internet to figure out the questions.
The first question was very interesting. The user had asked what is the future of passwordless authentication systems.
Here's what I learnt:
I feel that passwords were a thing when you had to only login into your e-mail or that one social media account. But now that every web application is powered with a login system to offer their users a more personalized experience, remembering passwords can be really cumbersome for the users. Users have a tendency to keep similar passwords for all the websites they are visiting which heighten the possibility of a huge data breach in case even one of the passwords gets stolen. For enterprises - creating passwords, maintaining passwords, resetting passwords do not come at a low cost which makes going passwordless an economical solution for them.
The second question was regarding GitHub and their decision of using passwordless authentication system. (News Article Link)
Here were my thoughts on this:
Discovered YubiKey through this, sounds really cool. Getting into your computer and authenticating your commits through a tap is indeed a better way of authentication rather than remembering hundreds of passwords for every different service that I am using.
Side Note: Do check out what is YubiKey, I actually ordered one for myself :P
The third question is where I probably researched the most. The question was regarding the different authentication systems that are available that enable users to log in to a network. Here's what I learnt in short and a very easy manner to understand:
Biometrics can be a fairly good option to consider - unique and less likely to get stolen (unless it is a spy movie). Using token-based authentication methods can also be considered. People can be issued smart cards or smart badges. YubiKey does a fairly good job here, but being small, chances of losing it are pretty high so make sure to tell your folks to guard it to the best of their abilities. Passwordless authentication is the easiest of them all considering from a user perspective, so if you want to offer an authentication mechanism for the non-developer section of the community who want their data secured but are not tech-savvy enough - passwordless authentication will be your go-to methodology. For platforms having more sensitive data and requiring more security like social media accounts and emails, MFA can be the best option for the above-mentioned set of folks.
The fourth question was on similar lines, but was focussed more on letting employees in a company log-in to the company systems safely and securely. Here's what I think:
Recently GitHub has announced that they will be doing away with password authentication and are moving towards passwordless authentication systems for their developers. Following the same YubiKey has introduced a feature that essentially enables devs to use it as a SmartCard for GPG encryption. Here's a detailed guide on the same - github.com/drduh/YubiKey-Guide The reason, why I am mentioning this here, is that using YubiKey can not only secure access to your devs' computers but also ensure a more secure working environment with git. Considering that as the primary option would be the best in my opinion. However, I looked for the concern you mentioned for multiple users across multiple devices and I found out that YubiKey can support multiple devices but only for a specific user. Ref: developers.yubico.com/WebAuthn/WebAuthn_Dev..
The fifth, sixth, and seventh questions were on using passwordless authentication systems with PHP and Django for which I will be dedicating separate blogs.
For now, here's a task for you. Check out SAWO's passwordless authentication system and integrate it into your application in an "easy peasy banana squeezy" manner.
I thank the entire team of SAWO for bringing this program to life and helping me learn things by figuring it out on my own and offering me constant support!