The most common way to authenticate a user for access to a digital service is to use a login and a password that the user has to enter every time he opens a session. The user authentication involves a user entering the user's login and password on a user device, which is then transmitted over a communication network to a server. The server then authenticates the user by matching the received login and password with a version previously stored on the server. This mechanism is widely used because it is easy and inexpensive to implement. However, traditional password-based authentication suffers from several downsides. For example, password based authentication is prone to brute force attacks where an attacker can guess passwords using recursive algorithms. Also, password-based authentication is prone to man-in-the-middle attacks, where an attacker intercepts the password when it is being sent from a user device to a server.
Recently, some big-audience websites have been hacked and databases have been compromised. Among the compromised data, user passwords or password hashes were stolen that can potentially be used to access user accounts on other websites. For example, one password reused on multiple website can be compromised by the weakest website, annihilating other websites' security efforts. User privacy is highly dependent on the security measures each website is putting in place.