> Could you use a blind signature to construct a rotating code 2 factor scheme where leaking the server credential doesn't lead to complete compromise?
Off hand I don't imagine it's possible to do that this way, but there is a challenge-response authentication scheme that does guarantee (if you use it correctly) that compromise of the server credentials does not allow you to impersonate clients to the server. It's called SCRAM-SHA (RFC 5802, RFC 7677) and uses client and server nonces to provide the session uniqueness property (authentications can't be replayed).
Leaking the server credentials (StoredKey, ServerKey) does not lead to compromise (obtaining the ClientKey) under this scheme because StoredKey = H(ClientKey) and reversing H() is hard.
Off hand I don't imagine it's possible to do that this way, but there is a challenge-response authentication scheme that does guarantee (if you use it correctly) that compromise of the server credentials does not allow you to impersonate clients to the server. It's called SCRAM-SHA (RFC 5802, RFC 7677) and uses client and server nonces to provide the session uniqueness property (authentications can't be replayed).
Leaking the server credentials (StoredKey, ServerKey) does not lead to compromise (obtaining the ClientKey) under this scheme because StoredKey = H(ClientKey) and reversing H() is hard.