Uniauth

Easy-to-use abstraction over authentication.

How it works

1. Application tells the server of a requested action (for example, to log in) and asks for a nonce.
2. Server issues a nonce which will never be used again.
3. Application tells the user's local uniauth daemon to sign a challenge using the nonce, service name and username.
4. User authenticates/authorizes the action.
5. Daemon signs the challenge and response is sent from the application to the server.
6. Server verifies the challenge against the user's key(s).

Server

Servers only store public keys, if/when the server is compromised the attacker cannot do anything with them.

Daemon

Uniauth daemons can do anything, from being completely autonomous to using a hardware authenticator.

Signature Algorithms

The application-daemon protocol supports any algorithm with signatures and keys under 65516 bytes long.

Currently Ed25519 and CRYSTALS-Dilithium3 are supported, Ed25519 has tiny signatures and keys, but Dilithium3 is post-quantum safe.