Passwordless Authentication System Using TKey

Abstract

Threats targeting authentication systems are becoming more widespread in the current digital landscape, and passwords are challenged in their role as the dominant authentication method due to poor user habits and cognitive limitations. This thesis describes the design and implementation of a passwordless authentication system developed in Python and Go for a simple web application and proxy server. A two-factor authentication system was implemented utilizing a TKey (Chalmers version) from Tillitis AB with Ed25519 signing, as well as Time-based One-Time Password (TOTP) functionality. Additionally, a recovery mechanism was implemented that utilizes mnemonic phrases to handle the loss of a TKey. The project explores the possibilities of passwordless authentication using a TKey, and in the broader sense hardware-based authentication. It demonstrates that hardware-based authentication schemes relying on cryptographic signatures are effective candidates for tomorrow’s authentication systems.