SecureLogin - forget about passwords

In early June, an employee of Sakurity, Yegor Khomyakov (Egor Homakov), wrote a post about the SecureLogin technology he created, which is a replacement for password authentication. Despite the fact that Egor probably speaks and writes Russian very well, we could not find a Russian-language version and decided to translate the original article. Result you can find under the cut.

Today, I am proud to introduce SecureLogin Authentication Protocol 1.0 , which I have been working on for the last 3 years.

What about demos? Easy!

No, this is not a password manager. Yes, this is another attempt to replace passwords, and for all, not just for geeks.

By the way, I am proud of not native applications and implementations - it was only a small part of the work, the volume of which does not exceed several thousand lines of code.

I am proud to have developed the most balanced protocol that, as a security specialist, I sincerely recommend.

This balance is based on 3 principles.

Decentralization

No third party should be able to log in to your account from anywhere: neither the telephone service provider who merges your SMS codes, nor the email provider who resets your passwords , nor Facebook Connect / Google OAuth, who issues your access_token to anyone to another, neither the governments and the hackers, who in one way or another do it through the services listed above. Only your personal device should be able to authenticate requests for your account.

At first glance, the more attractive "2FA as a service" providers, such as Authy or Duo, do not fall under the definition of end-2-end-decentralized , since they are centralized services that confirm requests on behalf of the user. By and large this is an alternative implementation of the mechanism “confirmation by link in email”.

Currently, you can achieve truly secure authentication using a TOTP (for example, Google Authenticator) or a USB key such as U2F.

Both approaches require manual manipulations, so almost no one uses them.

Working with them is very inconvenient. In the first case, you have to write backup codes on paper (which I never did), and the second option is not supported by anyone. Therefore, their penetration rate is extremely small.

It's time to talk about the second principle on which SecureLogin is based.

Convenience

Demonstration of user interface for desktop and mobile applications

This is very similar to Facebook Connect (excluding dependence on Facebook servers): you click the Login button, the application opens, you confirm the request, and that’s all.

No fuss with hardware keys, one-time passwords, email waiting or SMS, phone pick-up from pocket, QR code scanning, etc.

This is as simple as authentication is possible.

Scaling

To comply with this principle, SecureLogin is deterministic and implemented on a software basis . He is ready to serve four billion people tomorrow morning , and there is no single point of failure that could prevent this.

You should not worry about backups, as they do not exist: your private key is generated based on your own master password. SecureLogin servers will not be able to spoil the production-base, since this database does not exist. The system works offline.

No need to buy any hardware . Applications for iOS, Android, macOS, Windows, Linux are written, and you can always use the web client.

The protocol is completely free , and the code for all clients is open. You never have to pay anything to use the system.

The protocol API is so simple that even there is no need for SDK libraries: 20 lines of JS code on the client, 50 lines on the server.

If you are looking for an idea for an open-source project, consider implementing a SecureLogin plugin for your favorite CMS . Write me a letter to join our Slack.

By the way, the pioneers of SecureLogin can get a free security audit .

Questions?

I would be happy to answer them on Twitter ! But first, look for the answer in the FAQ - 90% of the questions repeat each other.

Please note that SecureLogin was not thought of as the safest solution that would cover all boundary cases (however, Doublesign functionality is planned for version 2.0), or the most comfortable solution (Facebook Connect is unlikely to be surpassed - it's too convenient). Here is the whole point of balance .

References:

1. Original: SecureLogin - Forget About Passwords .
2. UPD: Draft RFC Specification for SecureLogin .