Passwords are flawed. Bad ones are easy to crack, and good ones are hard to remember. They are re-used all over the place, yet they are breached every other day. From 117M/LinkedIn to 145M/Ebay, from 85M/Dailymotion to even 1000M/Yahoo, you're perhaps a minority if your password isn't vulnerable. They should have been gone with payphones, but they aren't. We're like using locks made of paper when steel is cheap and widely available.
What it does
We're an identity provider. An app on your phone authenticates you, through your Android's Fingerprint/LockScreen Manager (iOS coming soon). Just like "Sign In With Google", or "Sign In With Facebook", we authenticate you on behalf of the target site using. Our code is easy to implement with a simple API, but what's more important is its security. Secured with 2048-bit RSA Asymmetric Key Cryptography, we ensure that your key can never be brute-forced. If your phone is stolen, rest assured that nobody can use your key. The best part? It takes only 1 button to login.
How I built it
The server backend is built with LAMP stack. It receives a request together with the server api-key. Reading the logged-in user with secure cookies, the server sends a request, encrypted with the user's public key, to the phone to authenticate the login. The private key is always protected with your biometric authentication and never leaves the phone. The phone decrypts the request with the private key, and sends a secure response to the server. Locally, we make use of Android's FingerPrint Manager and KeyStore to keep your key secure.
Challenges I ran into
Encryption/Decryption with Public/Private keypair is not easy because PHP and Java expects different formats. Furthermore, there is little documentation on the latest API in building keypairs and storing them securely on Android.
Accomplishments that I'm proud of
Successfully implemented Asymmetric Key Cryptography PLUS biometric authentication by myself within 24 hours.
What I learned
It is difficult to work on both security and functionality within a short 24-hour time span. A good product takes time to build. Asymmetric Key Cryptography, while secure, is difficult to implement.
What's next for NoPass
iOS App, brush up on security.