The most common authentication method on the web is the use of passwords.
The security of all of these systems relies on the security policies of
remote sites to protect their user's credentials.
Please try out our demonstration but be aware that this is not a production system, that registrations persist for an hour and the user database is available for anyone to download*.
*It is our contention that a breached OPAQUE user database cannot divulge passwords.
When (not if) a service experiences a data breach, and user credentials are
exposed, attackers can use those details to impersonate the affected users.
The success of the attacker depends on two common premises: users tend to
reuse passwords across services, and servers often lack good practices for
A better approach is to allow users to authenticate with a password
that never leaves their computing device. Together with the Cloudflare Blog
posts and the OPAQUE
process we would like to maintain momentum towards this goal. The
open source library used
in this demo is self-contained and ready for use by servers and clients.
OPAQUE is a protocol that allows users to store secrets for
safekeeping on a server, without giving the server access to those
secrets. Instead of storing a traditional salted password hash,
the server stores a secret envelope that is locked by two pieces of
information: the password known only by the user, and a secret key
known only by the server. To log in, the client initiates a
cryptographic key exchange that reveals the envelope key only to the
user, but not to the server.