I am trying to create a web form, where the user can login without creating/entering a password.
Assuming the following per-requisites are met: The user and server have pre-generated a public/private key pair (on curve ed25519). The user and server both know each others public keys.
The server can simply provide a text document and challenge the user to sign the data and post the signed data to the server, but I think this is vulnerable to timing/replay attacks.
What is a good secure protocol which guarantees similar security as using a password?