A new passwordless security protocol has been launched by the Linux Foundation and tech vendors BastionZero and Docker to secure open source software ecosystems. Dubbed OpenPubkey, it allows users to securely and accurately bind cryptographic keys to other users and workloads and remove the need to remember passwords.
There has been a drive across the technology sector to move away from passwords as a mechanism to combat phishing and data breaches. Google, Apple and Microsoft are moving to passkey solutions that use biometrics to access an account and others like IBM are pushing for the change in enterprise settings.
OpenPubkey is being integrated into Docker container signing by BastionZero, which will allow for passwordless authentication of open source software. The new protocol was developed by BastionZero as part of its secure infrastructure access product.
The protocol works by turning an OpenID Connect Identity Provider (IdP) into a Certificate Authority (CA). This allows cryptographic keys to be binded to workloads and users. BastionZero says the integration will allow them to enhance software supply chain security.
OpenID Connect is an open authentication protocol that is built on the OAuth 2.0 framework and allows users to single sign on via third-party providers. This allows a user to access multiple platforms, such as newspapers or tools, but only provide personal information once.
How OpenPubkey can be used by tech teams
Developers will be able to build out the software supply chain and security applications, and enable workloads and users to sign artefacts using an OpenID identity. The new protocol allows these OpenID keys to be linked to an application or workload. For example, they could be used to enable secure remote access or signed builds and deployments.
“The Linux Foundation is proud to host the OpenPubkey Project,” said Jim Zemlin, executive director of the Linux Foundation. “We believe this initiative will play a pivotal role in strengthening the security of the open source software community [and] we encourage developers and organisations to join this collaborative effort in enhancing software supply chain security.”
Another example of how the system can be used is to have all code commits within a project signed automatically using the OpenID set-up. Ethan Heilman, CTO of BastionZero, said OpenPubkey being a stand-alone protocol makes it easier and more secure to use digital signatures.
He added that integrating it into Docker was a good way to bring it to the world. “We are excited to partner with Docker to offer its community of software developers and open source contributors a simple and convenient way for users, service accounts, machines, or workloads to create digital signatures using their identity,” Heilman said.