A Password less authentication protocol built using PKI and Linked Data Signature to securely authenticate users into websites and protect their data. The protocol accomplishes the following two goals:
How passworldless solution can be implemented using Public Key Infrastructue and become better alternative of password based authentications.
How PKI based solution can protect the User's data by not letting the server store the user's personal information but still be able to use the application the way it was being used earlier.
The protocol uses Linked Data Signature and JSON Web Token as its core concepts along with JSON-ld as message format.
FIDO is trying to solve the very same problem. But FIDO is complex to understand and implement for a normal devleoper. More over it involved costs of certification and all. Here, our goal is to come up with a very light weight sdk so that developers can implement PKI efficiently and securely.
// TODO: Write explanations.
- JSON-ld
- Linked Data Signatures
- JWT
// TODO: Write explanations for userdoc and credential doc
- Trust
- Data Protection
- Usability
- Security
Follow the instructions to run the client and server applications. First setup and run the server then run the client. Once it runs successfully, the client app can be accessed on http://localhost:8080/ url. The tool supports two types of authentications; BASIC-AUTH (username/password based) and PKI-AUTH (passwordless).
| Registration | Login |
|---|---|
 |
 |
Register a use by filling the registration form and then go to login page to login into the website. On successfull login, the user is taken into home page which show user profile.
Let us take a look into database when registered by this mechanism.
As you can clearly see user personal information sitting in the database.
Now, go back to the login page [http://localhost:8080/login] but this time lets use PKI-Auth. But before that, lets register a user.
To register a user go to register page [http://localhost:8080/register_pki] and fill the form.
Once the form is filled, you can download crypto materials (credential.json) and user doc (userDoc.json). Note that you are not yet signedup.
| User doc | Credential doc |
|---|---|
 |
 |
To signup, press on SignUp button. If you are redirected back to login page, meaning, you are signedup. Let's take a look at the db again.
As you can see in the db (the second row), none of user personal information went into it. Only the publickey and hash of userData resides - Quite safe huh!
To login using PKI-auth, you either need a wallet to scan the QR code or, just provide crypto material doc and userDoc. You can click on View Proof button to see (optional) what signature got added to the userDoc. Finally click on Login button to go to user profile page.
| Login | Proof |
|---|---|
 |
 |
// TODO
- UUID are not right way to generate nounce.
- Possible way of challenge could be
ch = Sha3(UUID + time() + salt)
- Store user sensitive information in the server database which can be prone to hack.
- Passwords on their own do not constitute sufficient security for many activities.
- Passwords can be shared.
- MFA brings the complexity and does not really solve the sharing problem.
- Passwords needs to be changed frequently.
- Increase in password complexity can bring user hinderance.
My father sent me facebook request for the 7th time the previous month. ha ha!
Is security is not for all kind of user?
- For website
- Every website would need their user to register with them, as well as they need to provide some user-agent for storing credentials and user doc to their user.
- As compared to basic-auth, the pki-auth is still complex for a website to implement and it has security concerns. So the developer must have to be aware of attack vectors and proper cryptographic premitives.
- For user
- On the other hand, user has to install multiple user-agents to manage the same userdata but different crypto-materials for different website. It is good for the security since every website will have different keypairs but very bad design for usability.
- Overall, usability is the main challenge to solve here.
- Now that we undestood the problem with the protocol, we need to come up with a solution where user register only for one time (like in case of social login) and other website just need to support that login. In this way, user will only have one wallet and one time registration.
- However, we have to make sure that user uses different credentials for different websites (unlike facebook where one credetials is being used everywhere)
- This work is NOT ready for production yet. So please use this work only for understanding purpose.
- Any other suggestion related to attack vectors or any other bugs in code, please create a issue for that. Thank You!