Skip to main content

Why Not Signed Password Authentication?

It is now universally acknowledged that basic password authentication does not offer sufficient security. 2-Factor authentication is a major improvement and hopefully would become the standard form of authentication over time.

Another approach that might work well would be to use public key cryptography to authenticate with a signed password instead of just the plain password.

An application (web or native) would generate the public/private key pair and store the private key locally while storing the public key along with the user's password on the server. This key generation can happen for instance during account sign up when it is clear the owner of the account is the one accessing it. Of course a key rotation mechanism can be devised to allow for a flexible way of rotating keys. This would all be transparent to the end user.

Instead of the user submitting just the password, they'll submit both the password and a timestamp based signature, ie plain password+current timestamp. This signature would be generated by the locally stored private key. For instance a developer could simply add Javascript to a login page that would generate the signature using the private key stored in the browser's local storage.

This can be implemented easily both for native and web apps without any complication to the sign-in process for the end user.

On the server, authentication would need to be tweaked of course, but the additional effort is minimal. On platforms like php it is just a matter of updating the authentication logic, on JVM platforms application servers can bake this in as an additional security option and make it easy to configure.

On the server, the signature would be verified using the stored public key and the user can be authenticated. Authentication can be denied perhaps based on some sort of user preference. For instance a user could specify that if they ever attempt to access their account without a valid signature, the server should deny access. Or a user could say if signature verification fails, failover to 2-factor authentication.


This can be of course combined with 2-Factor authentication. Also a process can be developed to make it easy to transfer the locally stored private key to other devices both permanently or temporarily.

Of course private keys could be stolen via other security weaknesses but this seems like a low hanging fruit approach to mitigating the effect of stolen passwords and brute force attacks on weak passwords, thereby significantly increasing the effectiveness of passwords.

At the end of the day, security is not about one perfect solution but rather a combination of solutions that together lead to an effective solution.

Just some thoughts...am I missing something here?

Comments

Popular posts from this blog

The feds need to shutdown the bitcoin scam now.

I live in Baltimore, let's say I have some hypothetical friends who are always looking for a good hustle.

Now imagine if my friends got together for a new get-rich-quick-scheme, the scheme is very simple. They invent something called cracken (bitcoins) that they start selling on a few blocks in Hamsterdam.

The way you get crackens is to do laps around the blocks in Hamsterdam. Initially when the scheme was setup, you could get a whole lot of crackens by merely doing a few strolls around the block. Needless to say my friends made out like bandits, since, after all they created the scheme and could take advantage of the first-come-first-serve rules.

Unfortunately for the rest of the hood, the number of laps required to get the same number of crackens keeps going up and after a while even the fittest folks in the neighborhood cannot do the lapse required to earn crackens.

Cracken mania takes hold and infects the whole city. Those with crackens start trading these crackens for exor…

Say hello to Solvent

We've changed the name of the platform from HiveMind to Solvent. The idea behind the HiveMind name was that the platform is meant to rely on components built by developers across the web to enable the quick composition of web applications. 
HiveMind is not a bad name and in fact has proven to be quite catchy, however we think a more evocative name would work better. We've spent time toying around with different names, we were not interested in a meaningless word so the name needed to be a real word that has meaning that could be tied to what the platform is, it also needed to have a nice ring to it.
To that end, we settled on Solvent. The Wikipedia definition: 
A solvent (from the Latinsolvō, "loosen, untie, solve") is a substance that dissolves a solute (a chemically distinct liquid, solid or gas), resulting in a solution.
We think this fits nicely with the platform as one for helping businesses quickly develop software solutions to help with their business operation…

What happened to sharing work with other developers?

There was a time when you could create something interesting and post it to a forum with programmers and actually get people interested in what you have. These days it seems short of being blessed (exactly by whom, only god knows) on HackerNews there is little chance you can get anyone's attention.

It is difficult to say precisely what the issue is because it seems multifaceted. It appears a combination of the rise of GateKeepers, perhaps cynicism inspired by the rise of GateKeepers and just a general overload of information has coalesced into a very difficult situation for those of us still daring to create without a VC backed turbo to charge forward with.

Over the past 5-8 yrs I have become quite dishearten by this loss of a genuinely curios developer community, or maybe I am just an old (36) fart who's been left behind.

Even tenure in certain communities doesn't count for anything anymore. I have been a member of HackerNews for 8.5 yrs and have only had 3 or 4 of my po…