The “old/insecure” form is “Username and Password”. This is a flat authentication method, where the username and password are sent to the server. (At worst, every time you check your email). Depending on your settings, this may be sent encrypted.
Therefore your username and password are always stored somewhere on your computer. Maybe encrypted. But in a way that it can be decoded locally. (Otherwise your computer won’t be able to send it ). This is not “necessarily” unsafe, but you feel like things should be better in these times.

Disclaimer: The following is very superficially worded and partly incomplete, but for ease of reading and wider understanding, I will word it as follows:

Modern Authentication is based on OAuth2. When you sign in using OAuth2, a token is placed on your computer, which you then use to sign in. The token is used along with some other data from the installation to actually log you in (unique identifiers, e.g. (slightly different for each application) unique identifier for your computer/OS/software installation/etc./combination from above). Moreover, the token is also updated every now and then.
Actual authentication is loosely based on public key authentication.

The main advantage of all this is that your “password” (your set of tokens) never crosses the line and is replaced every now and then.

Edit: @DonJunior You can call it MFA very loosely, because your computer/installation becomes part of the authentication (once the token is in place). (The computer/installation itself is the second factor, but it has nothing to do with things like TOTP/etc. This is really quite different.)

[Reactie gewijzigd door lenwar op 17 juni 2024 09:27]