C-Auth
An authentication service
The Idea
The idea for C-Auth came to me in 2020. While working on web projects I often had to implement authentication. Having to implement the same stuff over and over again, I thought it would be a good idea to create a service, that handles authentication for me. This way I would only have to implement the client-side of the authentication process once and could reuse it for all my projects.
Also during that time I noticed over and over again how many accounts get hacked, because of weak or leaked passwords.
I thought for a while about how to solve this problem and came to the conclusion, that the best way to solve this problem
would be to not use passwords at all.
So i tried to figure out a way to authenticate users without passwords. During that time I worked on some projects that
used asynchronous cryptography using the RSA algorithm. This brought me to the idea of using public-key cryptography for
authentication.
The concept was born and a phrase ran through my head:
Authentication should be proof-of-ownership, not proof-of-knowledge.
The Start
In late 2020 I started implementing a backend API for C-Auth in Java. The original Idea was, that the User would have to install a program on their device, that would generate a keypair and store the private key on the device. The public key would then be sent to the server, where it would be stored. When the user wants to authenticate, the server would send a challenge to the client, which would be signed using the private key and sent back to the server. The server would then verify the signature and authenticate the user.
I had a working prototype of this system by the mid of 2020. But I was not totally happy with the way it worked. The user had to install a program on their device, which was not very user-friendly. The project came to a halt.
The Revolution
In late 2021 I stumbled upon the webauthn standard. This standard was exactly what I was looking for. It provided a way to authenticate users using public-key cryptography, without the need for the user to install any software on their device. The only thing the user needs is a device with a modern browser.
After some planning and conceptualizing I started all over again. This time I decided to use NodeJS for the backend, because it is much easier to work with than Java. At first I tried to use Firebase as a database, but I later realized, that it was not flexible enough for my needs. It was expensive at scale and too complex to use. I like to have full control and wanted to host everything myself.
Then in late 2022 Fireship released this video about SurrealDB. This was EXACTLY what I was looking for. It was a simple, easy to use, open-source database, that I could host myself. I immediately started to learn how to use SurrealDB. And then, in mid 2022, I started all over again. This time working with SurrealDB as a database. And it worked PERFECTLY. My dreams became reality.
The State
At this point in time, C-Auth is stable and ready to use. It is still in development, but is free for everyone to use. I am using C-Auth for all of my projects and it works just as i wished it would. I am still working on improving the user experience and adding new features. But the core functionality is there and works perfectly.
The Future
In the future I want to secure C-Auth as much as I can. I am aware of some things that could be improved and I am working on finding solutions.