August 06, 2012

Improving the user/password combo

Hi there!

I’ve been playing around with cryptography and security, and every time I stumble on asymmetric keys I get amazed! All my deployments rely on it.

All my connections to another machine rely on the identity provided by my private key.

We have been building our identity on the internet. And we don’t like to let other people impersonate you. That is YOU, nobody can be you!

That is why we set up a password for our online services. That is why we have PGP signatures. But it is boring to remember passwords all the time.

Some initiatives have been done to address this issue, like OpenID, OAuth and password managers. I really like how OAuth provides a user identity and restricts usage of these identities, giving you the choice to allow them to do some actions in your name. I like the way OpenID provides an online identity, identifying the user to a profile. And I think the way 1Password integrates with the browser is awesome.

Mozilla is doing an interesting experiment, Mozilla Persona, to provide some of the OpenID benefits through the browser.

And then, asymmetric keys always come to my mind.  This magic way of telling any other user that I am the right ‘Bruno’ by using a secure key. Some companies already use that authentication format to deploy code, upload files, and store data.

I’ve been thinking different ways to use the power of PGP to identify myself on websites. With the right implementation we could give the user the choice to not user a password at all!

The most recent idea I had is something like this:

  • Manage your PGP keys using subkeys. (Keep your master key completely SECURE). That way, if any of your keys get compromised, you still can revoke access to it and restore your user identity.
  • Using a challenge-response method in a two way encryptation. The service provider sends a encrypted random message, that should be decrypted by you, and then, respond encrypting with the server public key. It would secure the user authentication on another level, by proving the current website is the correct one, not a fake server.
  • A browser/desktop/mobile API, so that you don’t need have too much hassle responding to the challenge. It could be also a kind of local OAuth provider, in a way that you could choose what the provider could do in your name.

We don’t need to get rid of the password login, but we could add a small advanced login link on the registration/security form, which you could provide the initial public key to access your computer.

I would like to see something like this.

The implementation still have some flaws, and I am thinking ways to implement it at the same time I am writing this post. That is the initial draft I have for now.

I would like to, some day, use my private key to login in on Twitter.