Passwordless is a prototype of a possible use of asymmetric cryptography in the web authentication context.
It requires user to stock password in some sort of database, whether local (encrypted USB stick with plain text DB) or online (such as LastPass).
The goal is to avoid having passwords transiting over the network, and leaving only public messages transit.
It is very basic implementation, no database nor JWT tokens are yet implemented but it has proven to be possible using the following steps :
- User generates a keypair client-side
- User pushes his username along with his public key (request)
- Server check preconditions (check if user already exists, public key is indeed a public key,...)
- Server generate a keypair server-side specific to the user
- Server stocks both server-side private key and client-side public key in the user entity
- Server returns the server-side public key (response)
- User stocks username, server-side public key and client-side key pair on a secured USB device (using WebUSB) or on a web extension (such as LastPass)
- User requests a challenge from the server for a specific username (request)
- Server computes a random (using true RNG or pseudo RNG)
- Server stocks the generated random number along with user entity
- Server returns a signed version of the random number using the server-side user's specific private key (aka. challenge) (response)
- User verifies the challenge using the server-side public key
- User sends back the random number signed using his client-side private key (aka. proposal) (request)
- Server decrypts the proposal and check whether it corresponds to the current challenge
- Server authenticate the user (using whether JWT, session token,...) and removes the current random number from the user entity (response)
- User sends a logging out request or time out
- Server removes the potentially generated random number and invalidate the session or JWT token
Stocking password through USB can be achieved through various methods :
When using the web app, JavaScript can access to USB devices.
Therefore, it is possible to stock the following login information object on it, encrypted with a master password.
{
"url": "",
"username": "",
"clientSidePublicKey": "",
"clientSidePrivateKey": "",
"serverSidePrivateKey": "",
"jwtToken": ""
}The idea is the same than USB stick, but we may have the flexibility of a web based keyring but the drawback of having a master password transiting over the network.
{
"username": "toto",
"clientSidePublicKey": "MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJJQ3ahZbtYrtbhzSFc2vDB8z8egbMFppN1V2QtAjTjpcmXoPpH+3c48GSFpHtummTxXacJ8KIuDx7H19DMaEYMCAwEAAQ=="
}
{
"serverSidePublicKey": "MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKkOup/LJq0PhhNUYhlZ5dqVa7+OUzTFAbhbehwK+xFhICtv8kfuyHsbUBa69WnoPFGGkeM9j3Q3QUcQn9AriAECAwEAAQ=="
}
Simple GET request
{
"challenge": "TMfAneTMmUWer5AWomzUS+sDEN++1hW//uzaixwXG3WzBV+CGn8RQjPhjDqWi9O0pVfOygN/s9UFJTZUQxdEiw=="
}
{
"proposal": "b49Tw3ZOB+ztsUNJmltj0fUtBIufoWFBGAzXX3e/CTmhjTlxlrNeVogqVlDaLY1VuxfwJAdHYOTEtJs3MOps3A=="
}
{
"jwtToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6InRvdG8iLCJqdGkiOiIyYzVlZjk1NC01YTMxLTQ5MjgtYTY0ZS1hNjk4ZDZkZTcxYTgiLCJpYXQiOjE1NDc4MDU4NjEsImV4cCI6MTU0NzgwOTUyNn0.UPH5PeGrwnuW3UO41iaESQgQ2Bd9D4xPePuSTEhpYsY"
}