Which user authentication measures are used nowadays?

Question

I was reading about Passwords and came across methods used for authenticating client to a server. Since sending password in Plain text to the server isn't the best method for authentication of a user, certain methods were described which provide resistance to replay attacks, MITM etc.

Some methods described were:-

1) Random Challenge method, where server providing a random string to client, client encrypting it with its key/password (symmetric) and sending the result back to the server. Server doing the similar process (or the reverse) to determine the authenticity of the user.

2) Relying on SSL/TLS for the encyption

3) Certificate based Authentication

My question is - Which of the above method is in current practice? Like when we try to login to our Google, Facebook or Stackexchange account which authentication method is used?

`Like when we try to login to our Google, Facebook or Stackexchange` -- plain password-based authentication. Just over TLS. — Crypt32, Nov 06 '19 at 07:52
@Crypt32 meaning password in plaintext (encrypted with TLS) is sent over to the server for authentication? — Vasu Deo.S, Nov 06 '19 at 08:25
Yes, pretty much. And when authenticating between websites, for example, logging into StackExchange via your Google account, oAuth is used. — Izy-, Nov 06 '19 at 08:58
@Izy- we are sending our password in **Plaintext** to the server (enc. via TLS) so does that mean the server also had stored it in plaintext format? — Vasu Deo.S, Nov 07 '19 at 15:26
@VasuDeo.S servers never store passwords in plaintext. Ideally, the server shouldn't know a user's password either. Passwords are hashed and salted (sometimes multiple times) and then stored. Since reversing hashes to plaintext is not straightforward, when a user tries to log in, the hashes are compared, not the plaintexts. — Izy-, Nov 08 '19 at 04:27
@Izy- So that means that our Passwords are sent in plaintext (enc. via TLS) and upon reaching the server, the server produces it's hash by adding a salt to the PT. And then stores/compares the password. (I've used *stores* assuming the user is setting up a new account) — Vasu Deo.S, Nov 08 '19 at 04:43
The password isn't necessarily always sent in plaintext. A good practice would be to hash it a first time on the client and another time on the server. That way, the server never ever know what the password is and if the communication is somehow compromised, the attacker doesn't have the plaintext password. — Simon, Nov 09 '19 at 01:00

score 2 · Answer 1 · answered Feb 06 '20 at 01:11

It really depends on the service.

The most common is password-base authentication (and probably will stay like this for a long time). All this services you mentioned use TLS for encryption to mitigate possible MIM attacks.

What is becoming a common practice nowadays is to offer 2FA. A list of web-sites that already offer it: https://twofactorauth.org/

It is important to understand that it is one more layer of security and do not aim to replace password based authentication.

Additionally, most of services offer OAuth2 nowadays. For example, when you access the Stack Exchange using your Google account. Of course, you must authenticate in your Google account, using password based authentication.

Password authentication is widely used because came first and is more scalable than other methods. Let's say my server offers certificate authentication. If you want to authenticate to it, you must have a certificate that is signed by a Certificate Authority that my server trusts. You must buy and have this certificate installed in your computer too. This is not a simple configuration for most end-users in the internet.

There are some other methods that are used by enterprises, because they usually have all the infrastructure and the web-sites are only accessed inside the corporate network, for example: SAML2.0, Kerberos, JWT, etc.