.png)
BOOK THIS SPACE FOR AD
ARTICLE ADThis article has been indexed from The Duo Blog
Part of our Administrator’s Guide to Passwordless blog series
See the video at the blog post.
Tall Tale #1: PINs Are Just Passwords
In Part 1, we talked about how passwordless authentication is still multi-factor:
Possession of a private key, ideally stored on a piece of secure hardwareA biometric or PIN the authenticator uses to locally verify the user’s identityReasoning about a PIN being used as a factor is simpler than a biometric. A PIN is simply a password, with a few key differences. The most critical difference is the context in which it is used for authentication in WebAuthn. Unlike a password, which is transmitted to the website and checked against the website’s record (hopefully, a salted hash, and not a copy of the password itself), a PIN is used only to unlock the credential stored on the local authenticator device. There is no central repository of user PINs for an attacker to breach and steal, no remote access to the authenticator for an attacker to brute-force over the network. The only way to unlock the credential is for the user to locally, often physically, interact with the authenticator device and enter the PIN.
By way of analogy, let’s consider the teleporting burglar problem. Why a teleporting burglar? Because remote attacks on the internet are similar in nature — an attacker can instantly “travel” to any “door” in order to attempt a theft. To reduce the risk of a burglar who can teleport, we can (a) make our keys harder to forge and our locks harder to pick, or (b) stop the burglar from being able to teleport.
Burglars who have to walk from house to house are much less of a threat. By enforcing local authentication via PIN, we effectively force remote attackers to “walk” to eac
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Bengali (Bangladesh) · 
English (United States) ·