Password-authenticated Decentralized Identities (2007.15881v2)

Abstract: Password-authenticated identities, where users establish username-password pairs with individual servers and use them later on for authentication, is the most widespread user authentication method over the Internet. Although they are simple, user-friendly, and broadly adopted, they offer insecure authentication and position server operators as trusted parties, giving them full control over users' identities. To mitigate these limitations, many identity systems have embraced public-key cryptography and the concept of decentralization. All these systems, however, require users to create and manage public-private keypairs. Unfortunately, users usually do not have the required knowledge and resources to properly handle their cryptographic secrets, which arguably contributed to failures of many end-user-focused public-key infrastructures (PKIs). In fact, as for today, no end-user PKI, able to authenticate users to web servers, has a significant adoption rate. In this paper, we propose Password-authenticated Decentralized Identities (PDIDs), an identity and authentication framework where users can register their self-sovereign username-password pairs and use them as universal credentials. Our system provides global namespace, human-meaningful usernames, and resilience against username collision attacks. A user's identity can be used to authenticate the user to any server without revealing that server anything about the password, such that no offline dictionary attacks are possible against the password. We analyze PDIDs and implement it using existing infrastructures and tools. We report on our implementation and evaluation.