[Cryptography] On mobile passwordless logins and established technologies

Guido Witmond guido at witmond.nl
Tue Mar 25 16:56:53 EDT 2014

On 03/24/14 10:08, Felix Ruzzoli wrote:
> Hey List,

> I am wondering. Most people seem to agree that the vast amount of online
> services accounts accompanying passwords for authentication are creating
> a constant hassle for the end-user and / or security issues because of
> weak or reused passwords.

Agreed. :-)

> I am wondering why people don't employ client-side SSL certificates for
> simple ID checking purposes? Someone please tell if I am wrong here..

> By just generating client certificates for each user of a (mobile)
> application on-the-fly and using them for ID checking we achieve
> passwordless logins with a good degree of security. Of course as long as
> the secret key is stored unencrypted on the device, the device acts like
> an ID token. Thus if the phone gets stolen the ID is too.

I assume that the private key is the ID, and that is is only used for
recognizing recurring visitors.

> I claim this a feasible solution for your run-of-the-mill low security
> application which just needs a reliable way to differentiate between
> users and make sure it is not too easy to impersonate another user or
> break into his account.

Private keys and client certificates might be overkill for
differentiating recurring vistors to a server. A signed cookie suffices.

Would you create a peer-to-peer communication protocol (for example
in-app communications between two participants), the private keys allow
for encrypted communication that your server could not decrypt.

But then you are in the land of message signatures, key validation and
all other nasty details of cryptography.

Would be cool if every app would do that, though!

Regards, Guido Witmond.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140325/c7ef2396/attachment.pgp>

More information about the cryptography mailing list