Eccentric Authentication in a Nutshell


Eccentric Authentication is a protocol. It’s authentication done right.

Ease of use

The end user does not have to think about cryptography or arcane rules, it just works. A user agent hides all that difficult crypto-stuff and behaves in the user’s interest.


Users remain anonymous. There is no requirement for users to provide identifying details at any time. Users have different credentials for each site, so they cannot be tracked between sites either. Users are free to divulge their identities at their discretion.

No identity theft

The problem with passwords is that you are supposed to keep them secret but you have tell them to the site where you want to log in. But users cannot tell the bank from a criminal site posing as the bank. Eccentric Authentication does not use passwords at all. The protocol never divulges any secrets that could allow someone else to impersonate the user.

Unique identifiers

Introducing strangers

It’s difficult to exchange public keys easily and
correctly between strangers who have never met before.

But once they have done so, there is no way to stop them from communicating any more.

Eccentric Authentication focuses on getting that first key exchanged.

Eccentric Authentication is an authentication protocol that places end
user anonymity, privacy and ease of use above other requirements. The
user comes first, the web sites come second. The spies can go home.

It is designed to let people create accounts at web site while staying
anonymous. The accounts are created with anonymous cryptographic
identities. All the crypto-details are handled by a user agent, taking
care of the details. It makes creating an account as easy as pressing
a button. No more hassles with passwords nor email messages with
activation links.

The users stay anonymous until they decide to reveal their
identity. Even the web site will not learn the true identities. Nor
will anyone else when proper traffic analysis protection it used. (Tor, I2P).

Secure names

Hidden in the account management are the public and private
keys. These can be used to encrypt and sign messages between users of
a site, or even between users of different sites. This can form the
basis of a secure email replacement, making phishing even more a thing
of the past. Because of the validation service, users can learn of
other users identities by nickname and lookup the public keys. This
makes world wide names secure.

Always encrypted

As this protocol deploys https-connections everywhere, it protects the
users against passive eavesdropping and active manipulations such as
Phorm, DPI.

End phishing

With the use of DNSSEC and a validation service to check that each
certificate is issued only once we can prevent Man-in-the-Middle
attacks and phishing. Even if the user falls for a bank-phishing scam,
his/her computer knows better and won’t let the user connect. If the
user would persist, bypass all protections and log in at the phishers
fake bank site, the real bank site would detect it when the phishers
impersonate the user and block the account.

Safe javascript apps

With some changes in the browsers’ Same Origin Policy, it can use the
Eccentric Authenetication to prevent XSS and CSRF attacks. That opens
the way for secure javascript applications, such as CryptoCat, Crypho
or other activists tools.

Good for/with Tor

Secondary benefits: Due to the pervasive use of encryption, Tor users
benefit in two ways: The use of Tor does not stand out between the
other traffic that uses this protocol. This makes it easier to hide
your Tor use. Secondly, when running eccentric authenticated
connections over Tor, the end-to-end connection is encrypted, solving
the evil-exit-node vulnerability of Tor.

Please see the Design Goals for more details and use cases.

With regards,
Guido Witmond
Witmond Secure Software
inventor of Eccentric Authentication