I’m working on an authentication system for a web based Bitcoin-related service. As part of the service, users do some less sensitive operations (mostly reading and sending various types of information) and some highly sensitive operations (controlling Bitcoin funds by signing transactions).
I’m looking to create an authentication system that:
- Is based on ECDSA and digital signatures
- Allows easy access to the less sensitive operations, by permanently storing the key in local storage
- Requires additional information for highly sensitive operations, which is harder for an attacker to obtain
Here’s what I’m currently planning to do:
Account creation process
- The user sign up with two passwords – A1 password and A2 password
- A1 password is generated as 12 random words (132 bits)
- A2 password is generated as 4 random words (44 bits)
- The user is required to write down (but not remember) the A1 password, and remember the A2 password (and possibly write down until he remembers it, at which point he should destroy the written copy)
- The A1 password is used to create the A1 private key using
A1_key = Scrypt(A1_password, salt=GLOBAL_SALT||email, N=20, r=8, p=1)
- The A1 key and A2 password are used to create the A2 private key using
A2_key = Scrypt(A2_password, salt=H(A1_key), N=10, r=8, p=1)
- The public keys for both A1 and A2 are saved on the server.
- The user logs-in using his A1 password, which is used to re-create his public key.
- The browser remembers the A1 key in local storage, so the user is not required to re-enter it, unless he logs in from a new machines or clears his local storage
- The A1 key allows authorizing the less sensitive actions
- Do do sensitive actions, the user is requested to enter his A2 password
- The A2 password is used to derive the A2 key and digitally sign the operation
- The A2 key is scrubbed from memory immediately after being used, and is never remembered by the browser
With that system in place, both the A1 and A2 passwords are needed for the highly sensitive operations. An attacker that gains access to the user’s machine would only have access to the A1 key – gaining access to A2 requires an active attack while the A2 password is provided.
- How do you feel about the security properties of such system? Do you see any downsides or vulnerabilities that I’m missing?
- Do you think that the hassle of requiring users to handle two passwords is worth it?
- Do you see any ways to improve upon my suggested schema?