Reply New Topic
2013/10/2 23:46:45
Home away from home

Secure login: A replacement for passwords, tokens and everything else

Steve Gibson from GRC has proposed a new approach for secure login that does not require passwords, security tokens or the involvement or third parties.

In a nutshell, the site login page generates a QR code containing the login URL and a unique random number, which you show to an app on your smartphone. The app generates a *unique* public/private keypair for that site, cryptographically signs the random number and sends it together with the public key to the login URL for validation. If the signature is good the site lets you in.

The public key becomes your ID for that site, and you authenticate yourself by signing random numbers generated by the site using your private key. There is nothing to remember, no shared secrets and you don't need to type anything.

This looks like a pretty good system to me. As far as I can tell there is only one major downside: You need develop a phone app. I might have a go at this for Android (you iPhone users are on your own, sorry).

Worth a look?

Reply New Topic extras
 Previous Topic   Next Topic
You can view topic.
You can start a new topic.
You can reply to posts.
You cannot edit your posts.
You cannot delete your posts.
You cannot add new polls.
You cannot vote in polls.
You cannot attach files to posts.
You can post without approval.