A Passwordless Authentication Mechanism for the Web Using Self-Sovereign Identity

The traditional protected web services rely on a user authentication process. The combination of an identifier (e.g. username, email address and so on) and credential (e.g. password) still remains the most widely deployed user authentication process, even though such a process is one of the major sources of security breaches. Moreover, in this traditional setting, the management and sharing of user identity information is cumbersome. The consequence of this is that users increasingly find it difficult to manage their identity data scattered across multiple sites and they have limited controls over their own identity data. In recent times, Self-sovereign Identity (SSI) has emerged as a new mechanism for managing and exchanging identity information in a more user-centric and privacy-friendly way. There are many explorations of SSI in different application domains, however, its utility for passwordless authentication for the web mostly remains unexplored. In this article, we present SSI4Web , a framework which can facilitate a passwordless authentication mechanism for the web by employing a state-of-the-art SSI technology for providing web services with much more user control and greater flexibility. We present its architecture which is based on a threat model and requirement analysis, discuss its implementation details and sketch out its use-cases along with protocol flows. In addition, we analyse its performance, evaluate its security using ProVerif , a state-of-the-art protocol verifier and discuss its advantages and limitations.