Mutual TLS is pretty cool. You can install client certificates into your browser issued from a CA that a server accepts, and the server can then use the details in your client certificate to authenticate you to an application specific user.
When you visit a server using mutual TLS, you'll get a prompt showing all your client certificates that match CAs that the server accepts. Once you select one, all your future requests will use that client certificate and be associated with that identity.
The client certificates can even be placed into smart card hardware devices (which can be USB or actual smart cards) that require a PIN or some other factor to use.
Because it's all built on public/private key encryption, the server has no credentials to lose in a data breach. Nobody can steal your credentials and reuse them to attack your other accounts.
That would put a lot of responsibility on the user. It is analogous to keeping medical records yourself and taking them with you to the hospital every time you visit. In the event of a fire or other catastrophe, your credentials would be lost forever, correct?
Either way, I usually do not want to login or be prompted to login to sites I visit. When I do want to login, either via Mutual TLS or by entering my credentials, I would like to have a hotkey I can push that brings me to the login page, pushes the login button, or inserts my TLS cert.
> In the event of a fire or other catastrophe, your credentials would be lost forever, correct?
If you intentionally did the hard path of owning all your keys then didn't back them up - yes.
But most users would be subscribing to some auth service (Google, their bank, etc) and that organization would have recovery issues.
> I would like to have a hotkey I can push that
This is already super simple with no new tech - just make your login button of class "LoginButton" or something we pick, and the plugin will just click it via code.
The UI really is slick. When the site requests auth the browser pops up a window with the help of the system's secret storage and shows you your identities. This could be automated to avoid even that single popup if desired.
Also, the prompt is uniform and immediate anywhere you need authenticated. With a single client certificate that meets the server's criteria, most browsers can be configured to automatically apply your certificate so you never even see the prompt.
Furthermore, browsers support different kinds of storage for client certificates. You could, in theory, make a cloud hosted client certificate store that you unlock once per session to use with your browser.
Ultimately, it addresses the whole "finding the login button" concern by eliminating login flows from the application completely. If you have no certificate, then you can't access the service at a protocol level, period.
It's more like keeping your ID card with you. The hospital would still have your records but wouldn't give you access to them until you present your ID card.
If you lose your ID card, you have to go back to the issuer of ID cards and request a new one. Similarly, with client certificates, you go back to the Certificate Authority to get a new client certificate.
When you visit a server using mutual TLS, you'll get a prompt showing all your client certificates that match CAs that the server accepts. Once you select one, all your future requests will use that client certificate and be associated with that identity.
The client certificates can even be placed into smart card hardware devices (which can be USB or actual smart cards) that require a PIN or some other factor to use.
Because it's all built on public/private key encryption, the server has no credentials to lose in a data breach. Nobody can steal your credentials and reuse them to attack your other accounts.
And this is supported by all browsers today.