The most common authentication method on the web is the use of passwords.
The security of all of these systems relies on the security policies of
remote sites to protect their user's credentials.
Please try out our demonstration but be aware that this is not a production system, that registrations persist for an hour and the user database is available for anyone to download*.
DEMO
register and
login
*It is our contention that a breached OPAQUE user database cannot divulge passwords.
When (not if) a service experiences a data breach, and user credentials are
exposed, attackers can use those details to impersonate the affected users.
The success of the attacker depends on two common premises: users tend to
reuse passwords across services, and servers often lack good practices for
password storage.
A better approach is to allow users to authenticate with a password
that never leaves their computing device. Together with the
Cloudflare Blog
posts and the OPAQUE
draft standard process we would like to maintain momentum towards this goal. The
opaque-ts open source library used
in this demo is self-contained and ready for use by servers and clients.
OPAQUE is a protocol that allows users to store secrets for
safekeeping on a server, without giving the server access to those
secrets. Instead of storing a traditional salted password hash,
the server stores a secret envelope that is locked by two pieces of
information: the password known only by the user, and a secret key
known only by the server. To log in, the client initiates a
cryptographic key exchange that reveals the envelope key only to the
user, but not to the server.
