Secure Authentication on Web Without Relying on Computationally hard-to-guess Passwords

The main authenticator in this process is a biometric or pin authorized phone. But as opposed to current two factor authentication methods this method does not require user interaction on every authentication attempt.

The process requires:
  1. A bluetooth enabled smart phone that can be protected with biometrics or pin. The phone also needs to support silent and non-silent push notifications. Basically any modern smart phone like iPhone, Android, or Windows phone should work
  2. The computer that starts the authentication session needs to also support bluetooth
Below is the diagram of all the players and interactions numbered in order of occurrence:
  1. At login attempt, browser will send a unique identifier of the user to server. It will also start recording user's behavioral signature like mouse movements and keyboard presses.
  2. At same time all agents are recording user's behavioral signatures (mouse movement and key presses) in the background. The agent is a software that runs natively on each users' machines.
  3. Server will send a silent push to all authorized smart phones of that user
  4. Phones will turn on low energy bluetooth to detect advertising devices around with a specific service ID - this ID can be unique to any authentication service
  5. The Computer will have an app that advertises a specific UUID, that uniquely identifies the device
  6. Phone picks all close by ids under service ID and sends them back to server. All of this happens in background without user's interference. Most modern phones support bluetooth discovery in the background
  7. Server verifies that if UUIDs discovered are within their Agent fleet. We call these valid agents
  8. Server notifies browser (through web socket) and all the valid agents (though silent push) to have their user generated signatures ready. "User generated signature" can be anything that is pseudo random and both agent and login page in browser have access to it. Examples are:
  9. At this point zero knowledge proof algorithm (any secure computation algorithm that can compare our choice of user behavioral signature without exposing it) is started between the web browser and all valid agents with server being the moderator. Data transfer between agent and server should be secured using asymmetric pub/pri key to assure authenticity of agent. Unique key is used for each Install of agent and public key is stored in server
  10. Alternatively, if server can be trusted, we can securely send "user generated fingerprint" back to server for verification instead of using secure computation algorithm
  11. If zero knowledge verification process or server verification resulted in a match between an agent and webpage, we can continue to next step otherwise disallow login
  12. If the matched agent is, for the first time, involved in granting access to this user, go to next step otherwise server will allow user access
  13. Server will send a push notification to the phone that initially sent the ID of the matched agent. The push notification will request for user's biometric or pin. Once biometric is validated the user will be granted access
  14. If biometric is not validated, user will not gain access and the agent will not be added to accepted list of login devices for this user
Notes: Benefits: Downsides: Discuss on Hacker News