If we can use SSH to log in on servers, why can't we use it to log in on websites?


@yarmo a website could generate a random hex, set a timeout and tell the user to sign it with the SSH key and paste the signature before the timeout expires. One time password.

@epilys precisely. With a bit of tooling around it, could be quite frictionless!

Worth a PoC

@yarmo @epilys so like TOTP without sharing the secret? In fact why doesn’t TOTP work this way already? I think it’s a good question.

force the user to sign the current time with a private key
server verifies using shared public key

That way, the secret can’t be obtained – even if the login server gets hacked.

@mwt @yarmo I was thinking about this process, only with SSH keys instead (see the diagram) webauthn.guide/#authentication

@epilys @yarmo that makes perfect sense, but using the time as the signable data would allow people to use a separate, possibly offline, device to get the codes.

You would want this if you were, for example, logging into a public machine.

@yarmo Ready :)

A bit of PITA as user experience goes, but that was expected. Piping the sig to xclip is a small improvement

Sign in to participate in the conversation

chaos.social – a Fediverse instance for & by the Chaos community