# Uniauth

Easy-to-use abstraction over authentication.

# How it works

1. Application tells the server of a requested action (for example, to log in) and asks for a nonce.
2. Server issues a nonce which will never be used again.
3. Application tells the user's local uniauth daemon to sign a challenge using the nonce, service name and username.
4. User authenticates/authorizes the action.
5. Daemon signs the challenge and response is sent from the application to the server.
6. Server verifies the challenge against the user's key(s).

# Server
Servers only store public keys, if/when the server is compromised the attacker cannot do anything with them.

# Daemon
Uniauth daemons can do anything, from being completely autonomous to using a hardware authenticator.

# Signature Algorithms

The application-daemon protocol supports any algorithm with signatures and keys under 65516 bytes long.

Currently **Ed25519** and **CRYSTALS-Dilithium3** are supported, Ed25519 has tiny signatures and keys, but Dilithium3 is post-quantum safe.