Secure login: A replacement for passwords, tokens and everything else

Posted by Madfish on 1380782805
Steve Gibson from GRC has proposed a new approach for secure login that does not require passwords, security tokens or the involvement or third parties.

In a nutshell, the site login page generates a QR code containing the login URL and a unique random number, which you show to an app on your smartphone. The app generates a *unique* public/private keypair for that site, cryptographically signs the random number and sends it together with the public key to the login URL for validation. If the signature is good the site lets you in.

The public key becomes your ID for that site, and you authenticate yourself by signing random numbers generated by the site using your private key. There is nothing to remember, no shared secrets and you don't need to type anything.

This looks like a pretty good system to me. As far as I can tell there is only one major downside: You need develop a phone app. I might have a go at this for Android (you iPhone users are on your own, sorry).

Worth a look?

This Post was from: