[Cryptography] On mobile passwordless logins and established technologies
memmaker at 32kb.org
Mon Mar 24 05:08:22 EDT 2014
I am wondering. Most people seem to agree that the vast amount of online
services accounts accompanying passwords for authentication are creating
a constant hassle for the end-user and / or security issues because of
weak or reused passwords.
I had a look at OAuth and OpenID and while in theory the idea seems to
be a good one; in practice the technology is not adopted by enough
services to make a difference. Furthermore the original design seems to
require a Web based login which has to be recreated as a Webview on
mobile devices; a more than awkward solution.
I am wondering why people don't employ client-side SSL certificates for
simple ID checking purposes? Someone please tell if I am wrong here..
By just generating client certificates for each user of a (mobile)
application on-the-fly and using them for ID checking we achieve
passwordless logins with a good degree of security. Of course as long as
the secret key is stored unencrypted on the device, the device acts like
an ID token. Thus if the phone gets stolen the ID is too.
Of course backups of the ID could easily be done by encrypting the
private key to a secret password. But at this point there seem to be no
alternatives to letting the user input a secret.
I claim this a feasible solution for your run-of-the-mill low security
application which just needs a reliable way to differentiate between
users and make sure it is not too easy to impersonate another user or
break into his account.
What are your thoughts on this?
More information about the cryptography