This is a proposed auth mechanism that embeds an URL + nonce in a QR code, which a smartphone signs and posts back to a server to authenticate the user. A single master key in the phone reproducibly generates a private and public key per hostname. The server uses the pubkey as a userID and checks the signature. If the sig validates, that pubkey either already exists as a user on the server, or a new user record is created. Presumably then the server posts back to the desktop browser (websocket? long poll?) to move past login once the phone auths to the server.
Pretty cool, and the article addresses many of the obvious criticisms. The advantage is that it uniquely identifies the user without a password or email verification. But as a downside vs. a competing system like BrowserID is just that it doesn’t have an email attached, so the server may still need to do an email verification if the user wants to tie a global identity to the per-site pubkey.
Originally shared by Abraham Williams