Hacker News new | past | comments | ask | show | jobs | submit login

so assuming one trusts the model, would it work to have something like:

I have a /me/private/yourwebsite.com set up to be shared between me and your particular site, the link is set-up when I sign up

when I log in your site, it would look for this directory to be there, in this directory there will be a file with a password hash, the server would load it, and validate the hash of the typed in password against the hash I provide, once the login is successful it would remove this file

this would basically mean that I could have single-use passwords for any site as it would be trivial to have a browser add-on that generates a random password and corresponding hash when I want to log in somewhere, it types the password in the password field on the page and puts the hash in the keybase directory corresponding to it, and alert me if the site does not remove the file after the login.




I actually wrote something like that for Keybase before KBFS was announced: https://github.com/jzila/kb-login-ext

The approach you detailed is the way to go once the filesystem is in the wild. Such power!


You can get rid of the middleman and just sign a nonce for the site, modulo the "don't sign whatever someone gives you" caveat. If you have a PGP key that uniquely identifies you, there are many many things you can do.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: