I built a website that uses public Ed25519 keys for user authentication (rather than passwords). Users sign the current Unix Epoch time (with the private Ed25519 key) and paste that base64 encoded signature into the login form.
I don't care if the idea succeeds or not, I use it for myself. I like simple, secure things and I feel webauthn is too complex.
Cool! I have implemented a similar workflow (certificate signatures as authentication) for some backend processes. No public write up currently. Certificate based authentication usage will only increase with time, imho
For extra security, the website should generate an extra nonce to go with the current time, otherwise there's a window where the signature could be reused to login again (maybe to another site).
A signature cannot be reused. It's only good for 60 seconds and once used may never be re-used because I do not allow that. Register for an account and try to submit the same signature more than once.
I understand replay attacks. I don't allow that to happen.
https://github.com/62726164/ed25519-login
I built a website that uses public Ed25519 keys for user authentication (rather than passwords). Users sign the current Unix Epoch time (with the private Ed25519 key) and paste that base64 encoded signature into the login form.
I don't care if the idea succeeds or not, I use it for myself. I like simple, secure things and I feel webauthn is too complex.