I had not thought about that but I think I can add push notifications if this is a problem. So on your phone you just tap the login with my authenticator button and approve the push notification in my authenticator app.
Yes I looked into it, but it looks like WebAuthn does not support multiple devices (let me know if I am wrong).
What if I want to login from two different devices? I don't think that is possible with WebAuthn, but using my authenticator you can login to multiple devices. You will also be able to add a recovery email address to my authenticator to recover your accounts if you phone gets damaged/lost.
>As for QR codes, those can be copied
The QR code are unique for every login attempt. After you scan the QR code and enter your phone's pin, my authenticator will send a request to my server. If everything is ok you will be logged in. Sorry I did not get what you mean by this? Do you mean that someone could copy and use the same QR again?
>I will never use digital face/touch ID for anything
I do not save any biometrics on my server. They are stored locally on your phone, my app just uses the native system used to unlock your phone. That being said, you can just use your phone's pin if you don't like to use biomterics.
Do you mean that someone could copy and use the same QR again?
A person intercepting traffic or spoofing a site can copy/tamper/replace the QR code just as they can plain text or binary blobs. QR is just a presentation structure that makes it easier for a camera to translate something into data. For this to be useful there would have to be a boot-strapped chain of custody and chain of trust already installed on the device scanning the QR code meaning you know where that trust came from and you can verify it against a trusted source. If this is not what you meant then where is the end user getting the certs used in this QR code from? Are you embedding the certs in the application? How do people know the application has not been copied/tampered with?
>intercepting traffic or spoofing a site can copy/tamper/replace the QR code
Will this be a problem with HTTPS?
When you open a page, a request will be made to my server to generate a unique login attempt, the id of this unique login attempt will be shown in the QR code.
When you scan it and enter your phone's pin, my authenticator generates a signature of the login attempt id, your username on that website and the current time. My server verifies the signature and logs you in if everything is ok.
Have you logged in to the Discord/Reddit/Whatsapp websites by scanning the QR code shown there from their mobile app? My concept is the same but using my authenticator app, websites which do not have a native app can also offer a QR code login.
I've seen people use QR with those sites and it doesn't make sense to me. So using a bank as example, I barely trust them to get this right. Now I am inserting your company into the chain of trust? Why am I trusting one more party to get all of this right? Or is this a solution you are selling to each vendor and they are implementing your service on prem? Is your service going to be audited by independent third parties that vendors choose? How do people verify that your application is the legitimate version? How does the bank know if someone has tampered with your application? Why is my bank trusting your application?
My laptop doesn't have a webcam, and even if it did, I wouldn't permit my web browser address to it unless I really needed to. A website that asks me to access the webcam just to log in isn't going to appeal to me.
I've no idea how typical I am in this regard, though.
Could you turn the idea on its head? Could the website display the QR code and the phone scan it, as per WhatsApp and many others? Or perhaps the phone just displays the note ubiquitous "random raccoon" type wordset for the user to enter into the website?
Remote: Yes
Willing to relocate: No (can work remotely according to another time zone)
Technologies:
Python (FastAPI, Flask, Django)
JavaScript/TypeScript (React, React Native, Node.js)
Machine Learning (Numpy, Scikit-Learn, Pandas, Keras)
PostgreSQL/MySQL
Docker
Résumé/CV: https://www.linkedin.com/in/pranav-berry-00809719b/
Email: berrypranav@gmail.com
I'm also ok with an internship role before discussing further.