0

I'm developing an Authenticator App for use towards my own API. I know about the TOTP standard RFC 6238 and the HOTP variant. Though I would prefer to use a public/private key based solution (by only storing the public key on the server).

What are some more or less standardized alternatives?

Is a home invented challenge response scheme with a public/private key pair subject to attacks (in the context of a secure HTTPS channel)?

Henrik Cooke
  • 101
  • 1

1 Answers1

1

If you - for whatever reason - preferred a challenge response protocol that used asymmetric cryptography, you may want to take a look at the work of the FIDO alliance.

This seems however to be an XY Problem. It's not clear why welldefined, secure methods for second factor usage are out of scope for you. Also, as a sidenote: Please do NOT roll you own crypto!

The gist of the linked QA: You are almost 100% guaranteed to make a mistake that can later be exploited.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
  • With public/private keys I could extend solution to include signing and public keys are less security sensitive in the back-end. FIDO alliance is good input, though it looks massive. I was hoping for "checkout RFC XYZ". – Henrik Cooke Apr 20 '18 at 15:09