Vault Vision’s User Authentication Platform Ushers in a Passwordless Future
There is a sign on the wall of Thomas Edison’s laboratory which says, “There’s a way to do it better-find it”. We have taken that wise and inspirational motto to heart. Introducing Vault Vision user authentication for web and mobile applications, a new technology company that is a goal for the future of modern, secure and convenient user logins.
We have a ‘Vision’ for the future where ALL passwords, private keys, and secrets are stored securely and protected in a hardware or software ‘Vault’. That ‘Vault Vision’ is why we started this company, and the concept of moving away from passwords to protected ‘Vaults’ that are equally secure and convenient while fitting the familiar mental model of keys and locks. It is our goal that we eliminate outdated password technology in favor of more secure methods of authentication. Our vision is lofty, and recent developments brings our goal within reach, specifically FIDO hardware tokens and Webauthn protocol support in browsers and OSes for React applications.
Eliminating flawed passwords
Why replace passwords? First, we thank passwords for what they have accomplished, we would not have the internet without them. I never would have been able to sell my used patio furniture if I had not created an account on Craigslist using a password. But now, it is time to bid them farewell and a happy retirement because of the following flaws:
- They are too easy to phish by attackers and phishing is still a very large attack vector. In 2020, Fire-eye/Mandiant reported in their 2021 M-TRENDS report that phishing accounted for 23% of the identified initial infection vectors.
- They are too easy to guess, and too many already known. The ‘haveibeenpwned’ database, as of Nov 2020, had over 613,000,000 passwords discovered from breaches.
- They are hard to remember. If you make up a new password for every website or online account, it is not long before you need to remember hundreds of passwords with various rules about what special characters need to be included in them.
- They end up being written down on a Post-It note. Or they end up in a notepad file on someone’s desktop. I can’t tell you how often I see users open a file of passwords in front of me saying: ‘I know I shouldn’t store these like this, but …’
- They are the targets of malware. Credential stealing malware like Juypter Infostealer try to find and pull them out of locations where browsers save them for user convenience.
- They are usually resettable by email or SMS. Most services will allow you to reset your password with an email, if you were to ever lose access to your email (or if an admin of that email service ever wanted to impersonate you) all of the accounts associated to that one single email address could now be compromised. It is rather scary to think about the damage that could be done if someone untrusted got access to your email. It is even scarier to think about what if a trusted email admin at a top provider like Microsoft or Google abused their access.
With all that said, it is time to thank the ‘password’ for everything it has done and en ‘vision’ a world where identity access is protected like a ‘vault’.
FIDO, Webauthn and security keys
So how do we fix it? We start by moving the source of your identity away from a 12 character string that only you know, to a hardware security key specifically designed to store, protect and securely communicate your digital identity with the rest of the digital world. Enter FIDO hardware security devices like the ones shown below.
These devices work by using public and private key cryptography to prove you are the creator/owner of the identity used to create that online account. When you signup or register for an online account, this device will register its public key to that online account, while keeping the corresponding private key safe and locked down on the device.
The most important aspect to how these hardware keys are better than a typical password is that the hardware key NEVER reveals its private key. The private key is only created on the device which cannot communicate it to any other device or connected system. The advantages of hardware keys are:
- You can’t ask the device for a copy of your private key
- You can’t trick the device into sending out your private key
- You can’t install malware on the device so that the malware ever gains access to your private key
It is these benefits that make the FIDO security key the perfect ‘vault’ for your digital identity.
Great! So what’s the catch? The catch is that because these FIDO security keys and the Webauthn protocol used to support them is so relatively new, there aren’t many services and websites that offer support for it.
Securing your user authentication with Vault Vision
That is where we come in and the Vault Vision service allows other services, startups and website owners to support these groundbreaking new authentication methods. Our login-as-a-service enables startups and website owners to easily replace their sign up and login flow with Vault Vision’s seamless support of FIDO security keys. In addition, we also support passwords (and social logins) for those users not in possession of a FIDO security key yet.
Integrating with Vault Vision is easy, our service is based on OAuth2 open standards, and communicates with JWTs on the OIDC protocols. This means that nearly every platform or programming language can integrate easily with our platform by using a JWT or OIDC library available on almost every platform or programming language.
Our founding team has been creating and helping start-ups for over twenty-five years. Our technology makes it less expensive and less time consuming for any startup or service owner to implement authentication systems. So if you are a startup or service provider, we make building authentication systems our business so you can focus on building and growing your business!
As Dr. Emmett Brown said to Marty McFly, “Roads? Where we’re going, we don’t need roads.” We say, ‘Passwords? Where we’re going, we don’t need passwords.’ Allow Vault Vision to build your authentication system, so you can continue building your business safely and securely online.
You can start your Vault Vision free trial here.