PasswordLessAuth establish a secure communication protocol to authenticate users of an application or service.
The protocol is based on asymmetric encryption. The main actors are the service -usually a backend- containing the application's data, the users and the devices used by the users to access the application.
The service or backend has a pair of public/private keys. Its public key should be available to all devices and, ideally, embedded in the application or easily retrievable from the internet.
Each user owns one or more devices. Each device has a pair of private/public keys. As part of the registration process with the service or backend, the device sends its public key, alongside some data, to the backend or service.
The PasswordLessAuth protocol is composed by a series of well-defined flows that allow a device to communicate with the backend for authentication and device/key management purposes.
Everything starts with the Signup Flow, that creates the account for the user and registers the initial device and key pair. Then, login is performed by means of a sequence of the Login Flow and the Access Token Flow. The latter also serves to refresh the access token once it has expired by means of an already retrieved login key from the authentication service.
The Add Device Flow allows the user to register a different device, with a new key pair, and associate it to the user account. Conversely, the Revoke Device Flow allows the user to revoke a device when it's no longer being used or its keys have been compromised.
Finally, the PasswordLessAuth Information Flow has been designed to get information from the authentication service in order for the clients to know how to interact with it. The User Information Flow offers information about an authenticated user.Technical Specifications (v0.1)