Today, to secure access to restricted areas on a web project, the pair username / password is not enough.
Although these identifiers are well managed (eg. In hash database) and associated safety precautions are strong (complexity, minimum size …), it is possible that hackers gain access on secured online resources.
In years, web projects are arming themselves to further secure these accesses. A now well-established technique is to couple accounts with two-factor authentication.
In the vast majority of use cases, the first factor remains the couple username/password. The second factor may vary, but often uses
- to an object that we have: phone, USB key …
- what we are: fingerprint, facial recognition …
We provide PHP library to cover these usages:
- OTPHP: supports One-Time passwords with Google Authenticator compatibility
- U2F-PHP: support FIDO U2F USB keys.
Is it enough?
No, it is clearly not enough. In January and February 2019, two massive databases with billions of username/password were found.
At the time of wriing, https://haveibeenpwned.com/ references more than 340 pwned websites and 6,4 billions of pwned accounts!
Hopefully there is a cure named Webauthn. This protocol defines an API enabling the creation and use of strong, attested, public key-based credentials by web applications.
At Spomky-Labs, we are working hard to provide easy to use tools to help you to take all the advantages of this new protocol.