Opaque

Secure password based client-server authentication without the server ever obtaining knowledge of the password.

A JavaScript implementation of the OPAQUE protocol (opens in a new tab).

Benefits

  • Never accidentally log passwords
  • Security against pre-computation attacks upon server compromise
  • Foundation for encrypted backups and end-to-end encryption apps
  • 0 npm dependencies

System Simulation

Test the protocol and see how it works

Type in some credentials and see how the magic works.

Client
Server

Details

OPAQUE provides robust security measures that effectively neutralize various types of attacks. Unlike traditional methods, it eliminates the need to send passwords to the server, thereby thwarting sniffing and replay attacks. Moreover, the protocol prevents pre-computation attacks by attackers.

Through the use of an Oblivious Pseudo-Random Function (OPRF), OPAQUE safeguards the password and basically some form of "salt", making it impervious to direct password leaks. This protocol has also undergone rigorous testing and offers mathematical proofs of security within a robust model.

Another advantage is its ability to offload the memory-hard key-stretching function to the client side. This not only enhances security but also minimizes the server's vulnerability to computational denial-of-service (DoS) attacks.

Furthermore, OPAQUE can function securely over an unencrypted communication channel, removing the necessity for additional layers like TLS. It even includes a countermeasure against user enumeration attacks: the server can return a decoy record, making it impossible for an attacker to determine whether a particular user exists or not.

Downsides

  • The protocol requires JavaScript to run on the client
  • Registration and login require one extra request roundtrip to complete each flow

Who is using Opaque?

Who is using the OPAQUE protocol?

Security

Benefits compared to password hashing

  • The server never learns the password and therefor never can log it (accidentally)

Tradeoffs compared to password hashing

  • Requires JavaScript to run on the client
  • One extra roundtrip for registration and login

Benefits compared to Passkeys

  • No need for users to rely on an external authority for key storage. Usually Apple, Google or Microsoft.
  • No device/browser/OS lock-in. On Linux for example there is no Passkey support.
  • No support for a stable export_key on the client. This makes Passkeys unsuitable for encrypted backups or as a foundation for end-to-end encryption apps. Might be possible in the future with the PRF Extension (opens in a new tab)

Tradeoffs compared to Passkeys

  • You still need to remember and store a password. Passwordless authentication is preferable.
  • Passkeys have even stronger security guarantees against server compromise since only a public key is stored.

Note: You can also deploy Passkeys and have Opaque as a fallback for users without Passkeys. Best of both worlds.

Relevant building blocks and inspirations