Uniauth

Easy-to-use abstraction over authentication.

How it works

1. Application tells the server of a requested action (for example, to log in) and asks for a nonce.
2. Server issues a nonce which will never be used again.
3. Application tells the user's local uniauth daemon to sign a challenge using the nonce, service name and username.
4. User authenticates/authorizes the action.
5. Daemon signs the challenge and response is sent from the application to the server.
6. Server verifies the challenge against the user's key(s).

Server

Servers only store public keys, if/when the server is compromised the attacker cannot do anything with them.

Daemon

Uniauth daemons can do anything, from being completely autonomous to using a hardware authenticator.

Signature Algorithms

The application-daemon protocol supports any algorithm with a signature under 256 bytes long, but currently only ed25519 is implemented.

It is advised to serialize keys using 16-bit lengths for potential compatibility with large keys like RSA.