Password-less VPN authentication

TL;DR - We no longer require customers to specify a password when connecting to the VPN as we have randomly generated usernames and the password doesn’t affect the security of the VPN tunnel in any way. You still require a password to login to the website Client Area.

To understand more about this decision read on.

An authenticator is the means by which an identity is confirmed e.g. password or 2FA token. When designing information systems its important to choose an authenticator that is commensurate with the sensitivity of the information to which the use of the authenticator permits access. Companies use VPN technology to permit offsite staff secure access to their corporate networks. If an attacker were able to steal an employees credentials they would have full access to all the internal servers on the corporate network. Privacy VPN services use the same technology but instead of providing secure access to an internal network they provide secure access to the Internet. If an attacker were able to steal some credentials they would simply gain access to the Internet like any other IVPN customer and could do no more than use our service without paying for it.

The username and password are only used to check that you have a paid account. They are not used in any way to establish the security of the VPN tunnel itself i.e. cryptographic keys are not derived from them.

IVPN have always generated random usernames (62^8 combinations), so from now on we will use the username as the identifier and remove the requirement for a password. This not only simplifies user experience, but removes the confusion about needing a strong password for the VPN tunnel.

New versions of the IVPN apps will be released today with the username field renamed to ‘Account ID’ and the password field removed. If you are connecting with a non-IVPN app simply specify any password.

Please note: This has no effect on the client area. To access the IVPN Client Area on the website you still need to enter the email address and password you signed up with.

Featured posts

Related posts

Releases

Introducing device management for better control of logged in devices

Posted on February 13, 2024 by Viktor Vecsei

We are introducing IVPN device management, an opt-in (disabled by default) feature that helps you review and log out from devices currently logged in to IVPN apps. This step is a direct response to frequent customer requests for better device controls.

Releases

Launch of IVPN Light - short-term VPN access paid with BTC Lightning

Posted on September 15, 2023 by Viktor Vecsei

Equipped with a BTC Lightning wallet and some sats, you can now set up an IVPN WireGuard tunnel in minutes without creating an account or sharing any personal information. Benefits of using IVPN Light: Short duration access option, you can get a “throwaway” VPN tunnel for 3 hours or up to 30 days duration Priced in sats and affordable - you can purchase access for as little as 500 sats (3 hours) Access up to 5 locations or 1 entry-exit node MultiHop combination with one payment No account required - we only keep a record of your Lightning payment on our self-hosted BTCPayServer, no personal information is collected Differences versus a regular IVPN subscription: