What is the difference between authentication and encryption?
encoding transforms meaningful data into what looks like gibberish using a mysterious that can besides be used to reverse the procedure. Reversing the process is called decoding. authentication is the serve of convincing a gatekeeper that you are who you say you are, typically by proving that you know a secret. Encryption-based systems are inherently more guarantee than authentication-based systems, but authentication-based systems have the profit of being far more flexible than their counterparts.
Passwords are used for both authentication and encryption
Most people can ignore the eminence between passwords used for encoding and passwords used for authentication. They seem to behave identically : Knowing a password allows you to do something with the data that it is supposed to safeguard. But encryption-based systems offer more than their authentication-based counterparts, and it ’ s worth knowing which system is used to protect your data. 1Password is based on encryption-based systems, but it besides uses authentication-based systems for 1Password accounts. The differentiation can be hard to grasp partially because the terms used by encryption-based systems suggest that they are actually being used for authentication. Secrets used to encrypt and decrypt data are called “ keys ”, and 1Password much talks about “ unlocking ” a “ vault ”, which are utilitarian metaphors but are far more appropriate for authentication-based systems .
| Meatspace | Authentication | Encryption | |
|---|---|---|---|
| “Password” | Something you know that proves to a guard that you are authorized to enter | Something you know that proves to a system that you are authorized to do stuff | Something you know that is transformed into a cryptographic key |
| “Key” | Proves to lock that it is the right key | Proves to the verifier that it is the right secret | Needed to transform the actual resources |
| “Unlock” | Transform state of the lock so it grants access | Transform state of the verifier so it grants access | Transforms gibberish into valuable resources |
Why are authentication-based systems weaker?
Authentication-based systems involve a doorkeeper that grant access to a resource after person has convinced it that they have the authority to access that resource. These systems suffer from a issue of security challenges that do not typically affect encryption-based systems such as 1Password .
Gatekeepers can act without user authentication
One implicit in challenge with authentication-based systems is that the gatekeeper has the might to grant access to whatever resource it protects. The doorkeeper should only grant entree in the correct circumstances, but nothing guarantees that it does. encoding, on the other hand, uses mathematics to make sure that the only means to access the resource in a meaningful way is to use the right encoding key .
Data is usable independent of the gatekeeper
Resources guarded by authentication-based systems may be accessible through ways that don ’ thyroxine involve the gatekeeper. Unless the resource is encrypted, it may be possible to remove not only the doorkeeper, but besides the gates that it is supposed to protect. Consider setting a file on a calculator ’ s disk to only be clear to its owner. The computer ’ sulfur operating system serves as a gatekeeper in this deference, and will allow only sealed people to read the data in that particular file. But even if that manoeuver system ’ randomness gatekeeping is flawless, the data is still unencrypted, which means an attacker could remove the disk and put it on a machine with a different operate on system. They could then read everything on the disk careless of its settings. If that file or the magnetic disk on which it was saved were encrypted, using another operate system to read the harrow and copying its data byte by byte gives the attacker no advantage. There is no way to transform the data into any meaningful imprint without using the chastise decoding key .
Multiple gates, each with distinct security properties
many authentication-based systems have a password reset mechanism that allows you to regain access to your data if you forget your password. This mechanism is another gate into your data, with its own doorkeeper, and this one may not be deoxyadenosine monophosphate careful as the gatekeeper handling normal authentication. If it ’ s possible for a human being working within the organization storing your data to reset a password, that person is yet another doorkeeper, which means they have the baron to grant access to your data .
Transmitted authentication secrets
The authentication process typically requires a user mystery to be sent to a doorkeeper. This secret – often a password – may be vulnerable during passage because it depends on the security of the network. Encryption-based systems typically don ’ thyroxine involve transmitting any encoding keys or passwords.
The consumption of HTTPS, a more impregnable interpretation of the HTTP protocol on which much of the world wide web relies, greatly reduces the risk of a password being compromised in this way. And although there are besides authentication protocols that don ’ t involve sending a long-run mysterious over a network, authentication-based systems do need to worry about the security of convey secrets whereas encryption-based systems much don ’ triiodothyronine. The authentication serve used in 1Password accounts does not transmit any secrets .
Why authentication-based systems are used anyway
Authentication-based systems face a phone number of threats that aren ’ thyroxine typically relevant to encryption-based systems. so why are authentication-based systems used when encryption-based systems are inherently stronger ? The suffice : Because a bunch can be done with authentication-based systems that are very heavily to do with encryption-based systems .
Password resets and data availability
typically, if one loses the password or key used by an encryption-based system, there ’ s no way to recover the datum. Authentication-based systems much have mechanisms through which access can be regained. 1Password accounts have an authentication aspect, but they were designed to have the security system properties offered by encryption-based systems, which means accounts can entirely be recovered by family organizers or team administrators .
Fine-grained access control
Authentication-based systems can offer close-grained access controls. One could decide to give Alice, Bob, and Charlie read access to some data ; restrict write access to Alice and Charlie ; and make it therefore only Alice could grant access to other people. many of the close-grained entree controls offered in 1Password accounts depend on an authentication-based arrangement, but the ability to read data is based on an encoding system .
Remote access
encoding is typically done locally, with everything on a user ’ s device, whereas authentication typically involves access to a distant organization. person who wants to use their data on unlike devices can use an authentication-based organization to entree something approachable on the network, whereas encryption-based systems require the establishment of a unmanageable and building complex synchronize system to work well. 1Password accounts maintain the stronger security properties of encoding systems while offering the syncing appliance of an authentication-based system .
Access revocation
It ’ randomness easy to revoke person ’ s access to data with an authentication-based arrangement. If Alice lets Bob and Charlie access some data, she could subsequently revoke Bob ’ randomness access. This change much easier to make with an authentication-based system than it is with an encryption-based system .
Authentication-based systems are more intuitive
Most people think of data access in terms of authentication. 1Password works by encoding, so far even we at AgileBits use authentication metaphors of vaults that rely on locks and ( ordinary ) keys .
A quick summary
This is a agile overview of some of the features and security properties of different systems. There are many exceptions to each call made here ; do not consider the contents of this table to be absolute.
| Feature | Authentication | Encryption |
|---|---|---|
| Password (hashed) stored | Typically stored remotely | No |
| Password transmitted | Typically, yes | No |
| Password sufficient for access? | Yes | No |
| Password | Yes (unless two-factor) | Both password and data are needed |
| Flexible two-factor possible | Yes | No |
| Rate limiting possible? | Yes | No (though slow hashing can help) |
| Lockout possible? | Yes | No |
| Password reset possible? | Yes | Not without key escrow |
| Administrator back door | Yes (same as with reset) | Not without key escrow (same as with reset) |
| Attack surface | Large | Small |
| User control of data | Shared | Full |
Our choice
1Password uses the built-in security advantages of encryption-based systems over the tractability of authentication-based systems. By using public key cryptography, 1Password accounts offer dependable sharing and, through the authentication-based flexibility of servers, more compromising synchronize and entree management. encoding means that 1Password does not face the kinds of threats a largely authentication-based system would face, and we have used an authentication mechanism that defends against many of the threats faced by many other systems. Most of the follow statements are a direct consequence of the 1Password security model .
- AgileBits is only minimally involved in your use of your data. We cannot decrypt your data or collect your 1Password account password, Secret Key, or encryption keys.
- 1Password’s local security doesn’t depend on gatekeepers, which means its security can’t be undermined by subverting authentication mechanisms. Even a total failure of the authentication system used by 1Password accounts would leave the attacker with very little information of value.
- 1Password’s local security doesn’t depend on authentication-based systems protecting unencrypted data, which means there’s no threat based on removing non-existent gates.
- The 1Password apps don’t need two-factor authentication. 1Password accounts use Two Secret Key Derivation (2SKD) to make sure no one can access your data without both your account password and your Secret Key.
- No matter what happens to AgileBits as a company, you will be able to access data stored locally in the 1Password apps.
Building a stronger but less compromising security system architecture means that what is going on behind the scenes can be identical different than what one might imagine. It besides means that we have had to work a bit harder to bring you the flexibility that you see. But it besides means 1Password offers the best of both encryption- and authentication-based systems .