[sugarfactory]

What I don't understand about authentication over HTTPS is, though, why not making login a part of the protocol? Wouldn't it be much better to authenticate a user with a public key of the user like in SSH, instead of password authentication over the public key of the server? It'd be more resistant to attacks such as MITM or stealing the private key of the server. If a user can register a password on a website, why does it have to be a password rather than a public key? The only hindrance is the fact that the protocol doesn't support it.

I have no idea why this easy change hasn't been made in the protocol.

[colanderman]

Check out the abandoned Mozilla Persona, and the SRP protocol.

https://developer.mozilla.org/en-US/Persona http://srp.stanford.edu/whatisit.html

[mankyd]

There are sites that can use keys to authenticate. They're usability is miserable.

Key based authentication is difficult for a layman to manage and understand. May mother can memorize a password and use it across computers. Asking her to do the same with a key will be difficult.

[vertex-four]

There was, fairly recently, a half-hearted attempt to do that in the way of Persona. Unfortunately, neither Mozilla nor any of the other browser vendors implemented it, and the fallback mechanism was very poor UX.