|
|
|
|
|
|
by _8j50
1576 days ago
|
|
|
I've had similar ideas. A few suggestions: - sign a challenge instead of a timestamp - Make it effortless by using the FileSystem api to permanently point to a specific file on the device (until they move it) - Use webcrypto to do the signing in-browser - You can store a master private key that certifies new devices and can revoke old keys on the user's behalf or have them agree to generate one and store it off like (usb,etc... pw encrypted) - what makes this better than using mutual TLS auth? I know i posted late, hope you see this OP. |
|
|
Author's solution adds some auth re-play protection, compared to what I use. But that's very little additional protection against threats that would be hardly a problem in practice for me. I just use TLS to protect the auth interaction (so who's going to capture the credentials?).
Most importantly, passwords actually work almost everywhere.