📝GPG-based authentication

It is possible to have an authentication protocol that is using GPG keys. So instead of entering your username/password or signing in with google or any identity provider, you just use your locally-generated GPG key as your identity.

Pros

• It’s all local. You do not rely on any identity provider, your GPG key is generated locally.

• No extra information leaked. The method provides a way sign up and verify it’s you when you return, but no additional information is provided to the service (e.g., your email is not exposed).

• Potentially one-click. The operating system/browser can hide away most of the complexity of generating and managing GPG keys. For the user, this can be exposed as “managing identities.”

Cons

• Harder to sync. If the key is protected with a master password, it should be pretty simple to sync the key between devices. OS/browser could do that.

• Impossible to restore. If the master key is lost/password forgotten, there is no way to restore it.

See also

• OpenID Connect can be used as a universal authentication system—OIDC + Self-Issued OpenID Provider cover the same use case as GPG-based authentication

Resources

• Secure website-authentication using GPG keys—basically the same idea (found it after I came up with my own)

Backlinks

• 📝 Authentication and identity management should be part of the platform
• 📝 OpenID Connect can be used as a universal authentication system