Go to the profile of Egor Homakov
Egor Homakov
Personal blog. See infosec posts at http://Sakurity.com/blog

SecureLogin — Forget About Passwords

Today I’m proud to announce the release of something I’ve been working on for past 3 years: SecureLogin Authentication Protocol 1.0.

No, it is not a password manager. Yes, it is yet another password replacement. For everyone, not just for the geeks.

I’m proud not of the native app or implementations — that was a very tiny part of the job and contains just few thousands LOC at most.

I’m proud of finding the most balanced protocol that I can wholeheartedly recommend to implement as a security expert.

This balance is based on 3 principles

Decentralization

No 3rd party should be able to log into your account anywhere. Not a telecom provider leaking your SMS codes, not email provider resetting your passwords, not Facebook Connect/Google OAuth issuing your access_token to someone else. Neither governments nor hackers making them to do so. Only your own device should be able to authenticate requests for your account.

The nicer looking “2FA as a service” like Authy or Duo are not end-2-end decentralization — those work like typical central authorities and confirm requests on behalf of the user. Basically it’s another way to implement “confirm by email link”.

Currently the only way to have safe authentication is to either enable TOTP (like Google Authenticator) or using a USB stick like U2F.

Both you need to do manually so practically nobody is doing that.

They both provide terrible usability. First one offers you to write down backup codes on a paper (which I never did), second one is barely supported by anyone. That’s why the penetration rate is ridiculously low.

So here comes the second principle of SecureLogin…

Usability

This is demo of UX for desktop and mobile.

This is equivalent of using Facebook Connect (but without depending on Facebook servers): you click a Login button, an app is opened, you confirm your request, and that’s it.

No hassle with hardware devices, one time codes, waiting for an email or SMS to arrive, getting your phone out of pocket, dealing with QR codes, etc.

It’s as usable as authentication can be.

Scalability

This principle is the reason why SecureLogin is deterministic and software based. It is production-ready to be used by four Billion people by tomorrow morning and there’s no single point of failure to stop it.

There are no backups to worry about: your private key is generated from your master password. There’s no way SecureLogin servers can screw up and delete a production database, because they don’t exist. It works completely offline.

There are no hardware pieces to buy. The apps are ready for iOS, Android, macOS, Windows, Linux and you always can simply use the Web based client.

The protocol is entirely free and all clients are open-source. There will never be any charge for using it.

The Protocol API is dead simple that there is even no need for SDK libraries: 20 LOC in JS for client-side, 50 LOC for server side.

If you’re looking for open-source idea, please join to implement SecureLogin plugin for your favorite CMS. Ping with your email to join our Slack.

In fact, early adopters can get a Free Security Audit for using SecureLogin.

Questions?

Happy to answer any on Twitter! But please check out the FAQ first, since 90% of questions are the same.

Please, bear in mind it does not aim to be the most secure solution covering all corner cases (but there is Doublesign feature planned for 2.0) or most usable solution (there is no way to beat Facebook Connect, it’s just too convenient). It’s all about the balance.