Passwordless login via public private keys?

yangyang · May 21, 2015, 2:38pm

Continuing the discussion from Would You Implement Passwordless Login?:

Let’s start with SMS: http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18/german-researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-read-your-texts/

Email suffers from other problems. There is very little security built into the email protocols, and there’s a bunch of issues with HTTPS being discovered recently.

Can I create a more secure login system than Gmail? Easily. Note, though, that that is only part of the problem.

Here is what you do:

Generate a key pair for public key cryptography. You can do this in JS in the browser these days.

Send the public key to your server along with whatever user identifying information you want.

Have the server sign it if it is happy with the user information, and send it back signed.

Install the private key part and the signed public key as a client certificate and use that for authentication from now on.

Is this convenient? With some effort, it could be made to work. Mostly, though, there are some lessons to be learned from it:

Password based authentication is insecure, get over it.

Replacing it with less security (as proposed) is a terrible idea, unless you work for the NSA. A more secure future requires more key management, not less. The key is to drive browser adoption of good key management solutions. Good key management makes using unique site keys easier, too.

This is still a bad solution; get used to the idea that SSL/TLS is a stopgap solution for security. We need more end-to-end security, and less transport security. But that leads off into an entirely new direction.

This is very interesting what @unwesen proposed. Some questions I’m start thinking about:

Can this all be accomplished with just a click of a link (e.g. some HTTP requests) without the user having to do anything at all?
This approach seems to bind the account to the very device / client software that has the client certificated installed. What if the user switches / loses device or re-installs / resets the software or system?
I guess it’s still imperative to bind everything to a portable identity, such as an email or a phone number, etc. Yes? If so, how to do that? A token will still have to be sent to the email upon account creation right? This approach doesn’t seem to do that at all. Am I right?

To conclude, this approach binds to device / software rather than email / Gmail. Is it more secure this way?

system · August 20, 2015, 9:43pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.