Yesterday, BitPay released the source code to BitAuth, a decentralized authentication protocol replacing username/password keys and client-side SSL certificates with cryptographically generated keys created by the same elliptic-curve method used by the Bitcoin protocol. From the users’ perspective, authentications would work the same as they do now, requiring a user name and password combination on their machine, but the underlying mechanisms function in a dramatically more secure way.
Following a general roadmap outlined by Bitcoin Core developer Jeff Garzik, BitAuth’s client-side software generates an authentication keypair called a System Identification Number, or SIN. Just as in the bitcoin protocol, the SIN keypair is composed of a public and private key, allowing any system to use the public key, but requiring a signed private key from the client to authenticate the connection. Actual passwords and private keys never leave the client machine.
Because no passwords are ever stored on a server-side machine, even a completely compromised merchant database couldn’t reveal authentication information. While some low-level account details could still be gleaned, a hacker wouldn’t be able to gain access to any part of an account requiring a login. This could remove a huge security burden for online merchants, and eventually even brick-and-mortar retailers.
Given the decentralized nature of the BitAuth protocol, users accounts can be shared across networks easily. Much like the current trend of validating user data through Facebook’s authentication system, a BitAuth-based system could be used to verify identity from the client-side machine, with the public key tying the related accounts together. As BitPay explains it: “Identity becomes portable — the same identity can be used on multiple services, letting you take your identity with you.”
Although functional, BitAuth is still in the early stages of development. Interested developers can check out the code on GitHub.