Today we’re excited to debut OpenLogin, the newest product in our line up of PKI and authentication tools and services, powered by the Torus Key Infrastructure. OpenLogin improves on passwordless authentication, both in terms of UX, privacy and security. Here are the highlights:
- Device native biometrics: Familiar Face/TouchID logins to your application.
- Social Account SSO, & Passwordless flows: Users can register via Google, Twitter, Github, and email verification.
- Hassle-free Data Management: Manage the most sensitive data flows, user encrypt sensitive data, setup for GDPR, CCPA, CPRA compliance.
- Non-custodial PKI Architecture: Secured on a mixture of user devices and authentication methods, the architecture makes it impossible to have conventional data breaches.
- Customizable and custom logins: So that we blend right into your application.
- Integratable in 10 minutes: That’s it!
OpenLogin is available today through the newly unified Torus SDK. Head over to our documentation to get started.
Public Key Infrastructure (PKI) today secures a lot of the web…
Since its inception, cryptographic keys have been rapidly adopted to secure many parts of the internet. Today Public Key Infrastructure(PKI) is used for securing almost everything from serving our websites through HTTPS to our end-to-end encrypted iMessages. It is also the foundation for the blockchain ecosystem, which has only popularized the usage of PKI’s further, now as a form of financial ownership. At its essence, PKI provides strong security and privacy guarantees through two functions; encryption, the ability to message only to defined recipients, and attestation, to be able to digitally sign or make a claim as the key owner. The latter being very similar to what we need for online authentication.
And it’s coming for user authentication
Authentication today inherits problems from the username-password account model that started when web clients first cropped up. While it served its function, passwords had their issues, being just a simple string they were easily guessable and with the millions of web applications being developed, each one of them created different accounts for a user. Solutions like OAuth (i.e. Google Login) made the experience better but both early integrators and providers of these services, unfortunately, exploited access to users’ data and captured far more information than they often needed. Beyond misuse of data by the holding entities themselves, these data pools also created honey pots for external hackers and nefarious actors resulting in many, many, many data breaches to date. With just a simple digital signature, PKI presents us with a clear opportunity to replace passwords altogether and secure the data dynamically between applications and users.
OpenLogin is PKI with Face/TouchID and Passwordless Authentication Your Way
OpenLogin is the first authentication suite to combine the simplicity of passwordless authentication with the security of non-custodial public key infrastructure (PKI). It brings the ease of passwordless, SSO, biometric authentication (WebAuthN) to any native mobile or web applications. OpenLogin makes crypto-friendly FaceID or FingerprintID possible. These user experiences are fast, familiar, and can help you convert more users at signup.
While each of these features is exciting, the most important detail to highlight is that each of these implementations is non-custodial.
Non-custodial Public Key Infrastructure means no data breaches
Torus is the only authentication platform that handles accounts in a non-custodial manner. Private keys that are analogous with accounts are generated and stored on a mixture of user devices and nodes on the Torus Key Infrastructure — they are only ever re-composable by the user. The user is always in complete control and the infrastructure is completely open-source.
This architecture circumvents the data honeypot issue that occurs with traditional account structures by removing data pools altogether, both on the infrastructure and application side:
On the infrastructure side
User accounts are represented via cryptographic keys secured across user devices and authentication systems, data encrypted only by their account. No central server to hack, meaning the risk of a data breach is virtually zero.
On the application side
With the ability to user encrypt data, because no personally identifiable information is stored on application servers, the risk of a data leak on the application side also is not possible. An attack on application servers would capture a user encrypted random string of numbers, not a user’s name, email, password or any other personable information.
It also means better management of user data and privacy guarantees
Also, instead of simply obscuring usernames, emails or passwords, or passing them on to another custodian (ahem, Amazon), using a PKI means developers get better privacy guarantees and more control over the data they collect and handle. OpenLogin doesn’t force applications to capture, handle, or secure usernames, emails, or even passwords (it also goes without saying that if data is never collected, breaches can never happen…).
Our one-of-a-kind PKI makes OpenLogin an easy choice for developers building applications that touch or handle sensitive data. It makes it easy to manage data flows, encrypt user data, and comply with GDPR, CCPA, CPRA regulations without sacrificing user experience.
OpenLogin even secures your application data upwards acting as a proxy, when you use social login. Preventing the login provider from tracking the application you’re on, similar to Apple login’s proxy.
Non-custodial PKI means digital user-sovereignty and a more open internet
Non-custodial PKI is an important step towards empowering the digital individual with self-sovereignty. Instead of login providers attesting for users, key pairs enable users to digitally sign that “I am me”, a building block for secure and private interactions on the web, from decentralized identity to digital ownership. Blockchain has popularized keys for financial use cases, and with OpenLogin we hope to bring the same guarantees to user authentication.
Get Started
OpenLogin is incredibly simple to implement. Integrating the SDK takes ten minutes and includes SSO logins (e.g. Passwordless, Google, WeChat), device native biometrics via FIDO2’s WebAuthN, as well as the essential linkability/recoverability flows for end-users. It works everywhere on any device or platform. Head over to our documentation to get started.
It’s free to download the Torus SDK and our pricing tiers offer a generous free tier. Check out our demo at https://openlogin.com.
