Skip to main content

Password Manager Flow

The password manager flow allows for a familiar login flow (via Emails/Phone Numbers) on an application whilst utilising the users provided password as an added salt on their public-private key pair.

Much like password managers (eg. LastPass, BitWarden), traditionally this model takes your private key, encrypts it with your password, and stores this encrypted private key on their servers. This ensures another layer of security for the user since nobody can retrieve the private key unless they know the password.

Combined with DirectAuth, we're able to replace the central server with Torus' distributed architecture to allow us to make use of our distributed key generation protocol to act as the initial randomness, which will be added to the user's password to generate the user's private key.

The user's private key is the XOR of the distributed key generated by torus nodes and a hash of the user's password. Meanwhile, the double hash of the password is used to verify the user's identity with Torus.

However, this introduces a host of other problems, including the difficulty of password recovery, password reset, device management, as well as the issue of how to ensure that password recovery of their private keys isn't centralised or censorable.