Uniauth
Easy-to-use abstraction over authentication.
How it works
- Application tells the server of a requested action (for example, to log in) and asks for a nonce.
- Server issues a nonce which will never be used again.
- Application tells the user's local uniauth daemon to sign a challenge using the nonce, service name and username.
- User authenticates/authorizes the action.
- Daemon signs the challenge and response is sent from the application to the server.
- Server verifies the challenge against the user's key(s).
Server
Servers only store public keys, if/when the server is compromised the attacker cannot do anything with them.
Daemon
Uniauth daemons can do anything, from being completely autonomous to using a hardware authenticator.
Signature Algorithms
The application-daemon protocol supports any algorithm with a signature under 256 bytes long, but currently only ed25519 is implemented.
It is advised to serialize keys using 16-bit lengths for potential compatibility with large keys like RSA.