GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → jrjr → paw.js

jrjr / paw.js

Licence: BSD-2-Clause license
Passwordless Authentication Wallet (PAW) is key-based authentication for the web. The library helps manage identities, their associated public/private keypairs, and signing operations in the browser.

Programming Languages

javascript
184084 projects - #8 most used programming language

Labels

securitycryptographyauthenticationpasswordlesspublic-key-cryptographypublic-key-authenticationpasswordless-loginpasswordless-authentication

Projects that are alternatives of or similar to paw.js

webauthn-demo
WebAuthn demo with Ionic/Angular and Spring Boot
Stars: ✭ 22 (-42.11%)
Mutual labels:  passwordless, passwordless-login, passwordless-authentication
privx-on-aws
PrivX - Just-in-time Access Management
Stars: ✭ 18 (-52.63%)
Mutual labels:  passwordless, passwordless-authentication
powerauth-crypto
PowerAuth - Open-source solution for authentication, secure data storage and transport security in mobile banking.
Stars: ✭ 48 (+26.32%)
Mutual labels:  passwordless, passwordless-authentication
powerauth-mobile-sdk
PowerAuth Mobile SDK for adds capability for authentication and transaction signing into the mobile apps (ios, watchos, android).
Stars: ✭ 27 (-28.95%)
Mutual labels:  passwordless, passwordless-authentication
laravel-login-links
Create (passwordless) login links for users
Stars: ✭ 13 (-65.79%)
Mutual labels:  passwordless, passwordless-login
magic-admin-python
Magic admin Python SDK makes it easy to leverage Decentralized ID tokens to protect routes and restricted resources for your application.
Stars: ✭ 20 (-47.37%)
Mutual labels:  passwordless
logto
🧑‍🚀 Logto helps you build the sign-in, auth, and user identity within minutes. We provide an OIDC-based identity service and the end-user experience with username, phone number, email, and social sign-in, with extendable multi-language support.
Stars: ✭ 3,421 (+8902.63%)
Mutual labels:  passwordless
laravel-magiclink
Create link for authenticate in Laravel without password or get private content
Stars: ✭ 135 (+255.26%)
Mutual labels:  passwordless
prsa
RSA Public Key Encryption
Stars: ✭ 18 (-52.63%)
Mutual labels:  public-key-cryptography
passwordless
Passwordless authentication server, supports OTP, WebAuthn, plan to implement TOTP and mobile biometric authentication
Stars: ✭ 34 (-10.53%)
Mutual labels:  passwordless
passport-magic
Magic is a Passport.js strategy that enables passwordless authentication middleware for any Express.js based application.
Stars: ✭ 35 (-7.89%)
Mutual labels:  passwordless
optiga-trust-m
OPTIGA™ Trust M Software Framework
Stars: ✭ 86 (+126.32%)
Mutual labels:  public-key-cryptography
liboqs-rust
Rust bindings for liboqs
Stars: ✭ 46 (+21.05%)
Mutual labels:  public-key-cryptography
piping-chat-web
💬 Chat via Piping Server with End-to-End Encryption
Stars: ✭ 22 (-42.11%)
Mutual labels:  public-key-authentication
webauthn.me
webauthn.me, learn more about the Web Authentication API or try the debugger.
Stars: ✭ 30 (-21.05%)
Mutual labels:  passwordless
ansible-setup-passwordless-ssh
Ansible playbook to exchange ssh keys with your remote user@hosts for passwordless ssh logins
Stars: ✭ 37 (-2.63%)
Mutual labels:  passwordless-login
cox
Crystal wrapper for the libsodium crypto API
Stars: ✭ 15 (-60.53%)
Mutual labels:  public-key-cryptography
IdentityServer4.PhoneNumberAuth
Sample passwordless phone number authentication using OAuth in ASP.NET Core 2.2
Stars: ✭ 83 (+118.42%)
Mutual labels:  passwordless-authentication
magic-admin-js
Magic admin Node.js SDK makes it easy to leverage Decentralized ID tokens to protect routes and restricted resources for your application.
Stars: ✭ 62 (+63.16%)
Mutual labels:  passwordless
bee2
A cryptographic library
Stars: ✭ 59 (+55.26%)
Mutual labels:  public-key-cryptography
View All Similar Projects ➔

Passwordless Authentication Wallet (PAW)

PAW.js is key-based authentication for the web. The library helps manage identities, their associated public/private keypairs, and signing operations in the browser. The goal is to solve a few problems:

Password reuse

Have you ever reused a password? Has an account of yours ever been compromised in a data breach?

PAW.js generates a new keypair for each account/identity, and so there's no need for concern if the service is compromised since each key is unique and it only stores the user's public key fingerprint.

Convenience and UX

Signup page password policies are often a poor experience. Login flows aren't much better when you have to remember the unique credentials you signed up with. You could use a password manager for this, but good luck with the mobile experience.

With PAW, users and organizations no longer have to deal with password complexity rules/policies. The UX is simply two clicks to login or signup. That's it.

Phishing

Not aware that you've been sent to the wrong site? Not to worry with PAW because it uses postMessage's safety of unforgeable origins.

In PAW, identities are separated by origin. This means if the user visited malicious phishing site A and it requested the user to authenticate using PAW, PAW wouldn't load site B's keypairs because it cannot forge the origin sent in the postMessage authentication request. Therefore, the user can't be tricked into signing in with any of site B's accounts.

Why

Because I or someone I know has been affected by each of these problems in one way or another, and I think they should've been solved by now.

How it works

flow

How to use

Store PAW on separate origin (preferably static assets only) or use existing PAW. The most secure option would have PAW running on a localhost origin. See below for some examples.

Your webapp

var walletwindow;
var wallet= "http://localhost:8000";

function showlogin() {
  walletwindow = window.open(wallet);

  var myinterval = setInterval(function () {
    console.log("trying to send hello");
    try {
      walletwindow.postMessage("PAW_auth", wallet);
      clearInterval(myinterval);
    }
    catch (err) {
      console.log(err);
    }
  }, 600);

  window.addEventListener("message", this.messagehandler );

}

function messagehandler(message) {
  console.log(message.source);
  console.log(message.origin);
  console.log(message.data);

  if (message.origin === wallet) {
    // send it to the web app backend to validate
    fetch(window.origin + "/auth", {
      body: JSON.stringify(message.data), // must match 'Content-Type' header
      cache: 'no-cache', //no-cache, reload, force-cache, only-if-cached
      credentials: 'same-origin',
      headers: {
        'content-type': 'application/json'
      },
      method: 'POST',
    }).then(function(response) {
      console.log(response);
      window.location.reload();
    }).catch(function(error) {
      console.log('There has been a problem with your fetch operation: ', error.message);
    });
  }
  window.removeEventListener("message", this.messagehandler);
}

Your custom PAW origin

Init

window.paw = new PAW(messagecb, {debug: false});

Signup

window.paw.create(<identity>, function(ids) {
  console.log("new identity created: " + ids);
  window.paw.sign_for_operation("signup", <identity>, function (postbackmessage) {
    window.paw.send(postbackmessage, function (err, errmsg) {
      if (!err) {
        console.log("status is good");
        window.close();
      }
    });
  });
});

Get all identities for the requesting origin

window.paw.get_identities(function(event) {
  console.log(event.target.result);
});

Login

window.paw.sign_for_operation("login", <identity>, function (postbackmessage) {
  window.paw.send(postbackmessage, function (err, errmsg) {
    if (!err) {
      console.log("status is good");
      window.close();
    }
  });
});

FAQ

Miss your password?

Currently, PAW uses webcrypto which does not support encrypted private keys. It's on the future roadmap to support NaCl-based encrypted private keys and thus that would require a password.

What about XSS?

The whole purpose of hosting PAW on a separate origin with only static assets is to mitigate XSS issues. If an XSS were to occur on the web app origin, the PAW origin impact would be less severe since the user would still be required to "approve" a login or signup request via clicking.

Also, since PAW is based on webcrypto, if the PAW origin were to somehow be affected by XSS, private keys are set to non-extractable meaning that the attacker could use signing operations of the private keys, but they wouldn't be able to read/access the them.

Why webcrypto?

It's well supported and has non-extractable keys.

Webcrypto doesn't have the best public key algorithms support, so the future roadmap is to include an option for NaCl.

Why host on separate origin?

See What about XSS?

Managing keys across multiple devices/browsers?

Most folks have more than one device or use more than one browser.

A couple of options I can think of (I'm sure there's more):

  • PAW via an app that keeps keys synchronized across devices.
  • Extract, copy, then import the keypair.
  • Web app supports multiple keys tied to an account via a key approval process.

It's on the roadmap to have support for and example demos for each.

What would a key reset flow look like?

It should look almost identical to current password reset flows, but instead it's keys.

License

This project is licensed under the BSD License - see the LICENSE file for details

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].