A secure login where the user's private key is never hosted on servers or the user's online devices ( this project can also be used as a form of two-factor authentication ( 2FA ) where the user's private key is never hosted on servers )
1 ) Using an online device ( D1 ) the user goes to the server's login page ( S1 )
2 ) The user simply enters his username in the form, and this data is submitted to the server ( login.php )
3 ) If the user's username exists in the server's database ( code.php ) then the server creates a 12-digit random code, this random code is encrypted with the user's public key, and a QR code containing the encrypted random code is sent to the user ( code.php )
4 ) Using an offline device ( D2 ) the user scans the QR code, the QR code data is decrypted with the user's private key, and this decrypted data is submitted to the server ( code.php )
5 ) If the 12-digit code submitted by the user is correct ( test.php ) then the user will be able to access the user's home page ( home.php )
6 ) And the user will also be able to access the user's profile page ( profile.php )
» Philosophy : Never-Never
-
Private Keys : ( Never on servers ) and ( Never on online devices )
-
Therefore, public keys only on ( online or offline ) servers and private keys only on offline devices.
-
This philosophy only applies when using asymmetric encryption algorithms ( RSA, ECDSA, EdDSA, etc. )
» Philosophy : Only-Only
-
Private Keys : ( Only on offline servers ) and ( Only on offline devices )
-
Therefore, private keys : never on online servers and never on online devices.
-
This philosophy only applies when using symmetric encryption algorithms ( AES, 3DES, etc. )