I've been working on a security system that completely ditches the traditional methods of authentication. No passwords to steal, no sessions that could be hijacked, and no tokens that might leak. Instead, I'm focusing on a system where every API request serves as its own proof of identity through cryptography, without storing any state on the server. In my tests, I've found that replay attacks are impossible and there are no token expiration issues. I initially started this for small business e-commerce and POS systems, but the more I develop it, the more I think about its potential for larger applications. For those of you who specialize in security, do you think a stateless authentication system really has practical value, or am I missing something significant? I'm eager to hear your expert opinions!
1 Answer
So you’re saying every single request will need re-authentication? That sounds like it could cause serious lag and would be a hassle for users. Even if it technically works, it might be too much for most developers to handle or for users to enjoy.
But what about performance? If the signature verification happens super fast, it might be better than managing sessions or tokens. Plus, it sounds like a lightweight way to improve security overall.