What is Public Key Cryptography and Its Application in Authentication

January 12, 2024

In recent years, public key cryptography has rapidly attracted attention from businesses owing to its high degree of security and practical application in protecting end-user authentication credentials.

In this article, we will be talking about what public key cryptography is and how it is being applied into authentication for a stronger and much more convenient user journey.

What is Public Key Cryptography (PKC)?

Often referred to as asymmetric cryptography, PKC is defined as a class of protocols based on algorithms. The method requires the creation and participation of two separate keys - private and public. PKC utilizes a pair of keys for data encryption and decryption to ensure utmost protection against unauthorized access of usage.

In the process of PKC authentication, network users will receive a pair of private-public keys from certification authorities. When an end-user logs in to a platform deployed with PKC-based mechanisms such as FIDO, the private key stored in their device will be used to decrypt the message/ challenge sent and encrypted by the public key on the server.

The Rivest-Sharmir-Adleman (RSA) algorithm is the system that developers use for public key cryptography. It is commonly used to send secure, sensitive data over a network deemed insecure, like the internet. This algorithm is popular because it allows for encryption by both the public and private keys, ensuring that confidentiality and authenticity remain intact.

Benefits of Public Key Cryptography (PKC)

Amid the ever-evolving digital environment, PKC presents the main benefit of increased data security. When compared to private key cryptography, public key cryptography is definitely a more secure protocol because its end-users will never be required to transmit or reveal their private (device-stored) keys to anyone. This has proven to protect the users from man-in-the-middle and phishing attacks where the bad actors try to gain unauthorized access to one's account using mainly social engineering tactics.

Additionally, PKC also provides digital signatures that are not able to be repudiated. The protocol requires that each end-user be responsible for protecting their private key, whereas in private key cryptography, the secret keys are being shared and even transmitted through third parties, which must include trust.

Public Key Cryptography Supplements Private Key Cryptography

PKC, despite being known as the more secure protocol, is not intended in any way to replace private key cryptography, but rather be supplementary. There are definitely some instances where the private key system is not ideal and therefore public key's become essential.

Generally, the public key encryption method is preferred in multi-user environments where it is necessary to ensure confidentiality through key distribution and digital signatures for user identity verification.

Public Key Cryptography Application in Authentication

Given the strong level of protection of hacker's attack, Public Key Cryptography has been applied into authentication in various industries, all aiming to secure end-user accounts by storing credentials more safely.

In Government Services

In many countries, particularly the United States, Canada, the UK, Germany, Czech Republic, France, Sweden, Australia, South Korea, Malaysia, Thailand, and Taiwan, government systems have deployed modern authentication solutions featuring FIDO specifications based on PKC. The government and industries have embraced FIDO as the preferred way to deliver high-assurance multifactor authentication to end-users.

In Banking Services

In the United States, Japan, South Korea, and Taiwan, commercial banks have been adopting PKC-based (FIDO) authentication systems as early as 2019 to facilitate the authentication journey for clients. When using FIDO in authentication, mobile banking application users can easily leverage the biometrics scanning function on their phone instead of keying in the username and password, which are vulnerable to phishing attacks.

With PKC systems in place, banks are able to deliver a more seamless transaction flow where users don’t have to use any kind of one-time password (oftentimes SMS). Not only does this help streamline and better secure the authentication process in payments, but also helps banks achieve a great balance between security and cost.