Ledger, a leading provider of cryptocurrency hardware wallets and one of our favourite stockists here at Coinstop, has recently released a new application which promises to provide even stronger protection for users' digital assets. Ledger Nano devices (Ledger Nano S, Nano S Plus, and Nano X) are open platforms that use Secure Elements for security. The Ledger Operating System (OS) loads applications that make use of cryptographic APIs. The operating system also provides mechanisms for isolation and key derivation.This technology provides a high level of security even against an attacker who has physical access to your devices, making your Ledger devices the ideal tools for securely managing your digital assets. However, they are also well suited to securing your login credentials to many online services.This is why they have created Security Key, a new application that implements the WebAuthn standard for Second Factor Authentication (2FA), Multiple Factor Authentication (MFA), or even password-less authentication.
What is Web Authentication?
Web Authentication or WebAuthn for short is a standard written by the W3C and the FIDO Alliance. It specifies a users authentication mechanism based on public keys cryptography instead of passwords.
The motivation for building such a standard was that Ledger’s current online existence is built on passwords and most security breaches are related to stolen or weak passwords.
Using public key cryptography as a security mechanism
Public key cryptography is a cryptographic mechanism that uses two associated keys:
- A private key that should be kept, you guessed it - private!
- A public key that can be shared
The public key can be used to check whether or not a message has been signed with the private key.Consider Jake, who generates a key pair and shares the public key with Tom. If Jake sends a message to Tom, he can sign it with his private key, and Tom can use the public key to verify that the message was indeed signed by Jake, who is the only one who knows what the private key is.This means that a user can generate a key pair and share the public key with an online service for authentication. Later, the user can authenticate themselves by demonstrating to the online service that they are in possession of the private key. All of this without sending the private key to the online service! This means that the private key cannot be stolen or intercepted during user-to-server communications.
Resistance to phishing attacks
The WebAuthn standard is also resistant to classic phishing attacks (when a hacker tricks you into disclosing sensitive information, in this case, login credentials). WebAuthn, unlike other MFA mechanisms such as OTP, is resistant to such attacks because each key pair is bonded to a specific origin, or web domain. This means that an attack attempting to trick you into using a WebAuthn credential in a different domain (for example, a fake site with url best-service.com instead of legitimate site url best.service.com) will fail because the authentication device will lack a corresponding key pair for that domain.
Strong hardware security
WebAuthn suggests storing private keys in hardware security elements. Regarding the Ledger Security Key application, private keys are stored within the device Secure Element (SE) which have passed a Common Criteria security evaluation – an international standard for banking cards and state requirements – and have obtained an EAL5+ certificate.
We’ll be sharing more on how WebAuthn works in our next post, stay tuned!