Say you want to ensure a user has access to a given email address (or phone number) on the device that they are trying to access your service. This is

Stateless-Passwordless Authentication using Cryptography

submited by

Style Pass

2022-06-22 23:00:05

Say you want to ensure a user has access to a given email address (or phone number) on the device that they are trying to access your service. This is handy in a number of circumstances, but more importantly, can you authenticate the user without using a database?

The first thing is collecting the contact information from the user. Potentially in the form of a login box. You may also want to collect other parameters, such as a redirect for when the user is successfully authenticated.

At this point, we generate some secret bits (such as a GUIDv4) and construct an ed25519 EdDSA curve from that secret. Finally, sign the endpoint address (aka, email address) and any other information you want, such as a CSRF token. The code might look something like this:

At this point, you contact the user with a URL that contains the secret. Since a GUIDv4 isn’t very user-friendly, you can use a word list and generate a mnemonic passphrase the user can use to authenticate as well.