I had not thought about that but I think I can add push notifications if this is a problem. So on your phone you just tap the login with my authenticator button and approve the push notification in my authenticator app.
Yes I looked into it, but it looks like WebAuthn does not support multiple devices (let me know if I am wrong).
What if I want to login from two different devices? I don't think that is possible with WebAuthn, but using my authenticator you can login to multiple devices. You will also be able to add a recovery email address to my authenticator to recover your accounts if you phone gets damaged/lost.
>intercepting traffic or spoofing a site can copy/tamper/replace the QR code
Will this be a problem with HTTPS?
When you open a page, a request will be made to my server to generate a unique login attempt, the id of this unique login attempt will be shown in the QR code.
When you scan it and enter your phone's pin, my authenticator generates a signature of the login attempt id, your username on that website and the current time. My server verifies the signature and logs you in if everything is ok.
Have you logged in to the Discord/Reddit/Whatsapp websites by scanning the QR code shown there from their mobile app? My concept is the same but using my authenticator app, websites which do not have a native app can also offer a QR code login.
>As for QR codes, those can be copied
The QR code are unique for every login attempt. After you scan the QR code and enter your phone's pin, my authenticator will send a request to my server. If everything is ok you will be logged in. Sorry I did not get what you mean by this? Do you mean that someone could copy and use the same QR again?
>I will never use digital face/touch ID for anything
I do not save any biometrics on my server. They are stored locally on your phone, my app just uses the native system used to unlock your phone. That being said, you can just use your phone's pin if you don't like to use biomterics.
If the phone not having a internet/network coverage was a problem, my idea could be useful. It also makes the phone a kind of hardware token, a user can login only if he has his phone.
However from the responses it looks like this is not an issue and I'll probably not work further on this idea.
> If the user needs to be loggedin somewhere, they must be online
I will be using JWTs, with asymmetric signatures. An internet connection will only be needed while adding the device for 2FA. The JWT will be generated from the private key already on the phone so internet is not necessary.
Remote: Yes
Willing to relocate: No (can work remotely according to another time zone)
Technologies:
Python (FastAPI, Flask, Django)
JavaScript/TypeScript (React, React Native, Node.js)
Machine Learning (Numpy, Scikit-Learn, Pandas, Keras)
PostgreSQL/MySQL
Docker
Résumé/CV: https://www.linkedin.com/in/pranav-berry-00809719b/
Email: [email protected]
I'm also ok with an internship role before discussing further.