📝GPG-based authentication

It is possible to have an authentication protocol that is using GPG keys. So instead of entering your username/password or signing in with google or any identity provider, you just use your locally-generated GPG key as your identity.

Pros

  • It’s all local. You do not rely on any identity provider, your GPG key is generated locally.
  • No extra information leaked. The method provides a way sign up and verify it’s you when you return, but no additional information is provided to the service (e.g., your email is not exposed).
  • Potentially one-click. The operating system/browser can hide away most of the complexity of generating and managing GPG keys. For the user, this can be exposed as “managing identities.”

Cons

  • Harder to sync. If the key is protected with a master password, it should be pretty simple to sync the key between devices. OS/browser could do that.
  • Impossible to restore. If the master key is lost/password forgotten, there is no way to restore it.

See also

Resources

Backlinks

Want to receive my 🖋 posts as I publish them?