[Cryptography] On mobile passwordless logins and established technologies

Felix Ruzzoli memmaker at 32kb.org
Mon Mar 24 05:08:22 EDT 2014


Hey List,
I am wondering. Most people seem to agree that the vast amount of online 
services accounts accompanying passwords for authentication are creating 
a constant hassle for the end-user and / or security issues because of 
weak or reused passwords.

I had a look at OAuth and OpenID and while in theory the idea seems to 
be a good one; in practice the technology is not adopted by enough 
services to make a difference. Furthermore the original design seems to 
require a Web based login which has to be recreated as a Webview on 
mobile devices; a more than awkward solution.

I am wondering why people don't employ client-side SSL certificates for 
simple ID checking purposes? Someone please tell if I am wrong here..

By just generating client certificates for each user of a (mobile) 
application on-the-fly and using them for ID checking we achieve 
passwordless logins with a good degree of security. Of course as long as 
the secret key is stored unencrypted on the device, the device acts like 
an ID token. Thus if the phone gets stolen the ID is too.

Of course backups of the ID could easily be done by encrypting the 
private key to a secret password. But at this point there seem to be no 
alternatives to letting the user input a secret.

I claim this a feasible solution for your run-of-the-mill low security 
application which just needs a reliable way to differentiate between 
users and make sure it is not too easy to impersonate another user or 
break into his account.

What are your thoughts on this?


More information about the cryptography mailing list