[Cryptography] Possible reason why password usage rules are such a mess

Alfie John alfie at alfie.wtf
Sat Mar 7 06:56:41 EST 2020 

On 6 Mar 2020, at 01:25, Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> 
> We have to get away from passwords altogether and later this year, I will be launching the first part of the Mesh which will make that possible as a kickstarter. The Mesh is all open source of course and will remain so. But I reckon many people will be willing to pay $20 or so for someone else to host a service rather than run their own with all the hassle that inevitably entails. And if I can get enough $20s, I can hire people to run the service and write code to integrate into Chrome, Edge etc.
> 
> So the big idea here is to write a tool that provisions public key pairs and credentials to every device the user connects to their personal Mesh and then use those keys to
> 
> 1) Provide access to an end-to-end secure password manager.
> 2) Authenticate to services using strong public key authentication. 
> 3) Provide a second factor authentication capability that provides an audit log of the actions taken.
> 
> If you have access to your password vault on every device you own and if it is integrated into your browser on every platform, you can use different, machine generated passwords for each site. And they can have as strong a work factor as that site allows.
> 
> So this is a LastPass type play except that every device with access to the passwords is also capable of public key based authentication which is phishing proof because the authentication protocol does not require release of the authentication secret.
> 
> I am not aware of any existing password vault that is end-to-end secure. My proposal provides a further control using threshold cryptography so that you can disable access to a device if it is lost or stolen or if you are going through an airport in a hostile country.
> 
> Oh and it can also provision your keys for S/MIME, OpenPGP and SSH so that best crypto practices are maintained. It can exchange contacts through various types of ceremony from in-person QR code exchange to remote with TTP attestation and it has a complete end-to-end secure asynchronous messaging infrastructure.
> 
> It is time to make this happen. I am still nailing down the last bugs in the reference code but I will be shortly looking to start a business to commercialize this technology and doing the usual things of seeking a COO, angel investment, etc.

Although not open source, at Forticode we already did what you're describing with Cipherise:

  https://www.forticode.com/how-does-cipherise-work/

Alfie

[not an ad... I no longer work there]

--
Alfie John
https://www.alfie.wtf

More information about the cryptography mailing list