23A/ Passwordless Login: The Keys to Secure Logins

From IIW

Passwordless Login: The Keys to Secure Logins

Thursday 23A

Convener: Mike Ebert, Sam Curren

Notes-taker(s):  Mike Ebert

Tags for the session - technology discussed/ideas considered:

Passwordless login, authentication, authorization, DIDComm

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps

Presentation slide deck:

https://hackmd.io/@TelegramSam/SJWpq3rSF#/

Login workflows:

Traditional account signup, VC presentation and link to account, VC presentation every login

Traditional account signup, VC presentation and link to account, use DID as authentication

Traditional account signup, link to DID, use DID as authentication

Connect with DID, VC presentation, create account linked to attributes of VC, VC presentation every login

Connect with DID, VC presentation, create account linked to attributes of VC, use DID as authentication

Connect with DID, create account linked to DID, use DID as authentication

Description of DID Login

Do we need to establish any new protocol for DID Logins?

Benefits of SSI-based passwordless login:

  • So simple!

  • More secure–avoid or eliminate password-based logins

  • Avoids single point of failure

  • Avoids phone home

  • Avoids potential correlation

  • Avoids provider lookup process

(Compare OIDC)

Recovery/Re-proving Ownership:

What is a good basis to re-prove account ownership if you don’t have a traditional account setup?

Get a new matching VC (email, SMS, specialized). If the key attributes match, you’re all set.

One-time passwords to unlock DID based accounts if the original agent/connection is lost

Retrieved from "https://iiw.idcommons.org/index.php?title=23A/_Passwordless_Login:_The_Keys_to_Secure_Logins&oldid=24028"