đź“ťGPG-based authentication
It is possible to have an authentication protocol that is using GPG keys. So instead of entering your username/password or signing in with google or any identity provider, you just use your locally-generated GPG key as your identity.
Pros
- It’s all local. You do not rely on any identity provider, your GPG key is generated locally.
- No extra information leaked. The method provides a way sign up and verify it’s you when you return, but no additional information is provided to the service (e.g., your email is not exposed).
- Potentially one-click. The operating system/browser can hide away most of the complexity of generating and managing GPG keys. For the user, this can be exposed as “managing identities.”
Cons
- Harder to sync. If the key is protected with a master password, it should be pretty simple to sync the key between devices. OS/browser could do that.
- Impossible to restore. If the master key is lost/password forgotten, there is no way to restore it.
See also
- OpenID Connect can be used as a universal authentication system—OIDC + Self-Issued OpenID Provider cover the same use case as GPG-based authentication
Resources
- Secure website-authentication using GPG keys—basically the same idea (found it after I came up with my own)