Skip to main content

Why Not Signed Password Authentication?

It is now universally acknowledged that basic password authentication does not offer sufficient security. 2-Factor authentication is a major improvement and hopefully would become the standard form of authentication over time.

Another approach that might work well would be to use public key cryptography to authenticate with a signed password instead of just the plain password.

An application (web or native) would generate the public/private key pair and store the private key locally while storing the public key along with the user's password on the server. This key generation can happen for instance during account sign up when it is clear the owner of the account is the one accessing it. Of course a key rotation mechanism can be devised to allow for a flexible way of rotating keys. This would all be transparent to the end user.

Instead of the user submitting just the password, they'll submit both the password and a timestamp based signature, ie plain password+current timestamp. This signature would be generated by the locally stored private key. For instance a developer could simply add Javascript to a login page that would generate the signature using the private key stored in the browser's local storage.

This can be implemented easily both for native and web apps without any complication to the sign-in process for the end user.

On the server, authentication would need to be tweaked of course, but the additional effort is minimal. On platforms like php it is just a matter of updating the authentication logic, on JVM platforms application servers can bake this in as an additional security option and make it easy to configure.

On the server, the signature would be verified using the stored public key and the user can be authenticated. Authentication can be denied perhaps based on some sort of user preference. For instance a user could specify that if they ever attempt to access their account without a valid signature, the server should deny access. Or a user could say if signature verification fails, failover to 2-factor authentication.


This can be of course combined with 2-Factor authentication. Also a process can be developed to make it easy to transfer the locally stored private key to other devices both permanently or temporarily.

Of course private keys could be stolen via other security weaknesses but this seems like a low hanging fruit approach to mitigating the effect of stolen passwords and brute force attacks on weak passwords, thereby significantly increasing the effectiveness of passwords.

At the end of the day, security is not about one perfect solution but rather a combination of solutions that together lead to an effective solution.

Just some thoughts...am I missing something here?

Comments

  1. You are missing that this locally stored private key is not easily transferred to other devices or browser, prohibiting users from logging in from another browser/device.

    ReplyDelete

Post a Comment

Popular posts from this blog

Declarative Programming With AI/LLMs

  What Is Declarative Programming Broadly speaking, there are two ways to program/instruct a computer to perform a task, they are imperative vs declarative programming. Imperative programming is what we do the most, we write all the code necessary for the computer to perform a task such that the only thing left for the computer to do is fetch and execute CPU instructions. If you are using Java,C#, Javascript...etc you are doing imperative programming. Declarative programming is a higher-order form of programming, we instruct the computer to perform a task but otherwise let it "figure out" how to do it. Declarative programming requires some sort of software based execution engine. Whereas with imperative programming our code gets compiled into some machine/byte code and then run by the CPU, declarative programming requires a layer of software that does the "magic" that allows you to use it without having to write the precise logic for completing tasks.  I would guess...

Integrating AI CodeGen With Low Code Application Development

This is a demo showing Solvent-Lowcodr working with AI Code generation (ChatGPT) to build web apps in a low code fashion. This demo uses Vuetify Component Library. This is the first in a series showing various ways that AI CodeGen and low code can be combined in Solvent-Lowcodr to accelerate web application development. In subsequent posts we'll show how to use AI CodeGen to build low code building blocks in Solvent-Lowcodr. We'll also show demos for React.

Integrating AI CodeGen With Low Code Application Development - Part 2

In this post we follow up from the previous AI CodeGen integration into a Lowcode environment, which was a manual process.  In this post we showcase the new direct AI integration support, then follow that up with using that integration to automate the process of issuing a prompt and generating a Lowcode app. Part 1 - Basic AI Integration Demo (OpenAI, Anthropic, Gemini) Part 2 -CodeGen and Lowcode Integration via automation using all three models.