This is a technique I’ve come up with, intended to be an improvement on the norm, and on multifactor authentication. It is both more secure and more convenient.
So this system has many features no existing system I’ve heard of has. In combination they make it perfectly secure.
How it works:
Cryptography usually uses some kind of hashing function, where it is easy to perform the calculation but difficult to reverse it. The analogy is mixing paint. Given two paint colours, it’s easy to figure out what colour is produced by mixing them. But given the mixed colour, it’s difficult to find out either component colour. I’ll use notation AxB=C for the forward function, where multiplication is easy, but the reverse function - given C find A or B - is difficult.
Here the user has two master passwords, PA and PB, which are the same for all services. He also has a device which performs the calculation AxB, to generate new temporary passwords. The calculator can be built into the browser, the OS, on the command-line, or on an air-gapped device.
Signing up to a service: The user provides the service a username and his two login passwords: PA x serviceID, PB x serviceID.
This is as convenient as a conventional login process - assuming the calculator is built into the browser. Just enter your master passwrods and the browser will do the rest. But if the calculator is air-gapped, this technique has perfect security.
So the “something you have” and “something you are” are not required. If you’re a fan of two or three factor authentication you can incorporate them into this system. The login process can also be tweaked to force the user to check that the service’s login is valid.
serviceID can be just the company name, or some other word which is the same for every user of the service, and shown on the login form. It can also be unique unique to each user, defined by either the user or the service (the service can remind the user of his serviceID)
The date could also be any unique or pseudo-random number. It could be displayed on the login form, to avoid timezone problems. Anyway the same date (and therefore the same login) can never be reused. Probably the date is rounded to 5min intervals, to the user has to wait 5min after each failed login attempt.
The user’s passwords can be quite simple. High entropy is added to the login during the calculation. And if somehow hacked the passwords are easily changed.
This technique is easy to implement. A single browser or OS, and a single website/service could unilaterally start using this system. Or the details could be strictly defined as an internet standard.
There is no obstacle, political or technical. We could have perfect security, married with perfect convenience, today.