Post
Topic
Board Project Development
Topic OP
New approach to user authorization, 100% anonymous, secure and easy?
by
romario
on 16/05/2014, 10:49:32 UTC
Hey guys!

We are now working on some sort of an authorization solution, which we wish to be anonymous, secure and convenient at the same time. We gave up classic email/password scheme and came up with login + 2FA one-time-passwords (via Google Authenticator, Authy, Duo Mobile, HDE OTP etc).

What we currently got is

1. User is offered to create a login (limited to A-Z, 0-9), which is (along with some random params) then hashed into some secret key.
2. Using login and secret key via another crypto-algorithm we generate QR code which user scans with his 2FA app on a mobile device and after successful verification we let him in.
3. To log in later, he enters a login and a 2FA one-time-password generated on a mobile device.
4. Since there is no email provided and the secret key is the only way to restore access to the account, user is offered to backup the secret key via email, sms, print it etc.

If user wants to use 2FA on other device, he could easily link it in account.
If user thinks his account might be compromised (mobile device stolen or lost), he can easily re-generate his secret key in account and re-link the mobile device
To prevent brute-force, login is blocked for 60 seconds after three unsuccessful attempts regardless of the IP.
There's also a possibility allowing logging in with the secret key only, in case 2FA is inaccessible.
Secret key is stored encrypted. Website uses SSL.

PROS
100% anonymous and very secure
No email/password required
2FA one-time-password is changed every 30 sec

CONS
2FA authorization is required every time to log in
If mobile device is hacked or stolen, account could be compromised, as the secret key stored locally on device (unless new secret generated in the account)
If secret is lost, account not accessible


What do you think?