Opaque

Secure password based client-server authentication without the server ever obtaining knowledge of the password.

A JavaScript implementation of the OPAQUE protocol (opens in a new tab).

Benefits

Never accidentally log passwords

Security against pre-computation attacks upon server compromise

Foundation for encrypted backups and end-to-end encryption apps

System Simulation

Test the protocol and see how it works

Type in some credentials and see how the magic works.

Client
Server

Details

OPAQUE provides robust security measures that effectively neutralize various types of attacks. Unlike traditional methods, it eliminates the need to send passwords to the server, thereby thwarting sniffing and replay attacks. Moreover, the protocol prevents pre-computation attacks by attackers.

Through the use of an Oblivious Pseudo-Random Function (OPRF), OPAQUE safeguards the password and basically some form of "salt", making it impervious to direct password leaks. This protocol has also undergone rigorous testing and offers mathematical proofs of security within a robust model.

Another advantage is its ability to offload the memory-hard key-stretching function to the client side. This not only enhances security but also minimizes the server's vulnerability to computational denial-of-service (DoS) attacks.

Furthermore, OPAQUE can function securely over an unencrypted communication channel, removing the necessity for additional layers like TLS. It even includes a countermeasure against user enumeration attacks: the server can return a decoy record, making it impossible for an attacker to determine whether a particular user exists or not.

There have been extensive security analysis and audits:

Downsides

  • The protocol requires JavaScript to run on the client - Registration and login require one extra request roundtrip to complete each flow - No resistance against quantum computing attacks

Who is using it?

Opaque

OPAQUE protocol

Comparison to Password Hashing

Opaque comes with a few benefits and tradeoffs compared to password hashing

Benefits

- The server never learns the password and therefor never can log it (accidentally)

- Foundation for end-to-end encryption

Tradeoffs

- Requires JavaScript to run in the browser

- One extra roundtrip for registration and login

Comparison to Passkeys

Opaque comes with a few benefits and tradeoffs compared to Passkeys

Benefits

- No need for users to rely on an external authority for key storage. Usually Apple, Google or Microsoft.

- No device/browser/OS lock-in. On Linux for example there is no Passkey support.

- No support for a stable `export_key` on the client. This makes Passkeys unsuitable for encrypted backups or as a foundation for end-to-end encryption apps. Might be possible in the future with the PRF Extension (opens in a new tab).

Tradeoffs

- You still need to remember and store a password. Passwordless authentication is preferable.

- Passkeys have even stronger security guarantees against server compromise since only a public key is stored.

Note: You can also deploy Passkeys and have Opaque as a fallback for users without Passkeys. Best of both worlds.

Relevant building blocks and inspirations

Interested?