Password-authenticated identities, where users establish username-password
pairs with individual servers and use them later on for authentication, is the
most widespread user authentication method over the Internet. Although they are
simple, user-friendly, and broadly adopted, they offer insecure authentication
and position server operators as trusted parties, giving them full control over
users’ identities. To mitigate these limitations, many identity systems have
embraced public-key cryptography and the concept of decentralization. All these
systems, however, require users to create and manage public-private keypairs.
Unfortunately, users usually do not have the required knowledge and resources
to properly handle their cryptographic secrets, which arguably contributed to
failures of many end-user-focused public-key infrastructures (PKIs). In fact,
as for today, no end-user PKI, able to authenticate users to web servers, has a
significant adoption rate.
In this paper, we propose Password-authenticated Decentralized Identities
(PDIDs), an identity and authentication framework where users can register
their self-sovereign username-password pairs and use them as universal
credentials. Our system provides global namespace, human-meaningful usernames,
and resilience against username collision attacks. A user’s identity can be
used to authenticate the user to any server without revealing that server
anything about the password, such that no offline dictionary attacks are
possible against the password. We analyze PDIDs and implement it using existing
infrastructures and tools. We report on our implementation and evaluation.