PKAuth is excited to announce PKAP, a new authentication protocol that makes logging into online services simple and secure. With PKAP, users no longer need to remember a different password for each website. Instead, users create a digital identity that stores a list of their authorized devices.

To login to a supported website, users unlock the identity on their device and the website can verify their identity. Users no longer need to remember a unique password for each website and cannot use weak, crackable passwords. Identities are encrypted on each device, so unlocking the identity requires physical access to the device and knowledge of the user. If a device is compromised, access to the device is easily revoked by removing that device from the list of authorized devices. Under the hood, PKAP leverages cryptography and digital signatures to prove users are who they say they are.

Check out this video demonstrating PKAP in practice.

PKAuth is a service that manages your digital PKAP identities. PKAuth is currently in a closed beta. Join the waitlist today!

Are you interested in protecting your organization with PKAuth? Let us know how we can help!

Technical overview

PKAP is a federated authentication protocol based on public key cryptography. PKAP identities are composed of sets of public keys that are used for authentication, encryption, and signatures. Identities have a master key that is used to sign the set of public keys, and the identity file is hosted online.

To authenticate a user, a website needs to know the user's master public key and the URL of the identity file. The website can then retrieve the approved set of public keys used for authentication. When the user attempts to log in, the website verifies that the user's device public key is part of the approved set. The site then sends an authentication challenge that the user's device signs after being unlocked.

A draft of the PKAP protocol specification is available that provides more details. If you would like to comment, please create an issue in the specification's repository.