Skip to main content

Posts

Showing posts from July, 2015

Why Not Signed Password Authentication?

It is now universally acknowledged that basic password authentication does not offer sufficient security. 2-Factor authentication is a major improvement and hopefully would become the standard form of authentication over time.

Another approach that might work well would be to use public key cryptography to authenticate with a signed password instead of just the plain password.

An application (web or native) would generate the public/private key pair and store the private key locally while storing the public key along with the user's password on the server. This key generation can happen for instance during account sign up when it is clear the owner of the account is the one accessing it. Of course a key rotation mechanism can be devised to allow for a flexible way of rotating keys. This would all be transparent to the end user.

Instead of the user submitting just the password, they'll submit both the password and a timestamp based signature, ie plainpassword+curre…