Blog

Registration

Upon registration, public/private key pair store in uesr’s device. User will hand over public key to the server and server will save this in DB.

The Handshake: Authentication

Upon login, user will be given a “challenge”; random string to sign from server. User will sign this using private key in their device. Server verifies the signature using the public key given in prior.

Why this is better than password

1. Prevent phishing attack: If you go into the phishing website (let’s say g000gle.com instead of google.com) and they ask it to scan QR code. It will fail because user’s device do not know the privatekey for g000gle.com
2. When the db is hacked, only things that are exposed is public key not the user private key
3. Much harder to “guess” the password for attackers (eg: Dictionary attack)