Skip to main content

Why Not Signed Password Authentication?

It is now universally acknowledged that basic password authentication does not offer sufficient security. 2-Factor authentication is a major improvement and hopefully would become the standard form of authentication over time.

Another approach that might work well would be to use public key cryptography to authenticate with a signed password instead of just the plain password.

An application (web or native) would generate the public/private key pair and store the private key locally while storing the public key along with the user's password on the server. This key generation can happen for instance during account sign up when it is clear the owner of the account is the one accessing it. Of course a key rotation mechanism can be devised to allow for a flexible way of rotating keys. This would all be transparent to the end user.

Instead of the user submitting just the password, they'll submit both the password and a timestamp based signature, ie plain password+current timestamp. This signature would be generated by the locally stored private key. For instance a developer could simply add Javascript to a login page that would generate the signature using the private key stored in the browser's local storage.

This can be implemented easily both for native and web apps without any complication to the sign-in process for the end user.

On the server, authentication would need to be tweaked of course, but the additional effort is minimal. On platforms like php it is just a matter of updating the authentication logic, on JVM platforms application servers can bake this in as an additional security option and make it easy to configure.

On the server, the signature would be verified using the stored public key and the user can be authenticated. Authentication can be denied perhaps based on some sort of user preference. For instance a user could specify that if they ever attempt to access their account without a valid signature, the server should deny access. Or a user could say if signature verification fails, failover to 2-factor authentication.


This can be of course combined with 2-Factor authentication. Also a process can be developed to make it easy to transfer the locally stored private key to other devices both permanently or temporarily.

Of course private keys could be stolen via other security weaknesses but this seems like a low hanging fruit approach to mitigating the effect of stolen passwords and brute force attacks on weak passwords, thereby significantly increasing the effectiveness of passwords.

At the end of the day, security is not about one perfect solution but rather a combination of solutions that together lead to an effective solution.

Just some thoughts...am I missing something here?

Comments

Popular posts from this blog

Managing configurations with object graphs

***
This post is basically a pitch I send to folks whom I think will be interested in a modern approach to configuration management. I am posting it here so I can refer people to it without sending them a long email.
***

One of the features of the HiveMind platform is a smart object technology that solves the problem of dealing with hierarchical configuration information often represented in formats Like YAML,JSON, Java Properties,XML...etc

The smart object technology allows developers/users to directly construct object graphs of any complexity. Once you have the actual object graph you can reverse the process back to representation in any one of the formats mentioned above.


I have setup a demo instance for trying it out @ http://demo.crudzilla.com:7000

Login with login info I sent you.

Be nice, you have full system access :)

To see an example representing the AWS IP list (https://ip-ranges.amazonaws.com/ip-ranges.json):

Navigate to: /com/crudzilla/betaApp/web/aws/index.ins

Thi…

Get out of the box sometimes

Little boxes on the Laptop, Little boxes made of Javascript stacks, Little boxes on the Laptop, Little boxes all the same. There's a green one and a pink one And a blue one and a yellow one, And they're all made out of Javascript stacks And they all look just the same. And the developers in the industry All went to the IDEs, Where they were put in boxes And they came out all the same, And there's devOps and Rubyers, And micro services, And they're all made out of Javascript stacks And they all look just the same. And they all play on the GitHub And drink their Kool-aids dry, And they all have pretty syntax And the syntax go to HackNews, And the syntax get approval stamp And then to the IDEs, Where they are put in boxes And they come out all the same. And the bros go into business And marry and raise a VC round In boxes made of Javascript stacks And they all look just the same. There's a green one and a pink one And a blue one and a yellow one, And they're a…

Your code is not a project

Language matters, just as saying the wrong word to the wrong person can leave you with one less front tooth, so too can the incorrect use of language in general create a cascade of confusion that pervades an entire industry.

One of my pet peeves about the use of language in the software arena is the use of the word "Project". This usage as far as I know goes back to IDEs grouping software artifacts as projects. The notion of a project as the top level organizing construct for software projects (see what I did there?) is now a de facto standard. One problem with this is that it is a complete misuse of the notion of a project. A project is not a thing, it is a process! A project has (or at least should have) a well defined start and end.

As a process, by its very nature, its essence is vague. So when something whose essence is precise (software) is called a project it leaves the reader wondering exactly what is being described. Whenever I come across a documentation describing…