HOBA Authentication

HTTP Origin-Bound Authentication (HOBA) is a simple authentication scheme that is not password-based. HOBA has become an alternative to password-based HTTP authentication schemes by reducing or eliminating password entry.

HOBA authentication mechanism uses a digital signature instead of the passwords and it also offers additional features like credential management and logout system.

HTTP clients can authenticate themselves to servers in the HTTP protocol or in a Javascript authentication program with the usage of public-private keys they create. The public key is open, the private key needs privacy for security reasons.

Implementing HOBA in HTTP applications gives the user an opportunity to establish a connection to the same service with more than one device or source-bound key.

The implementation process requires no names, passwords. And there’s no danger of leaking out or exposing passwords since there is no password verification database on the server side.

Implementing HOBA

Technically, it is a challenge-response digital signature protocol with a client nonce.

The client starts with determining if it already has a public key to authenticate or must generate one. For a start, the client determines if it already has a public key to authenticate or must generate one.

Then, the client makes a connection to the server, anticipating the server to ask for HOBA-based authentication, which is to be done by signing a blob of information.

The server sends a confirmable challenge in an HTTP header and client has to respond in time with a signature having previously given server the public key.
The server determines the CPK (client public key) using the key identifier (kid) to decide if it recognizes the CPK. If the CPK is recognized the authentication process is complete.

The authentication depends entirely on the server, its policies, and practices; there is no standardized protocol and no suggested template for interaction.

The HOBA requires challenge and max-age attributes that must be included and it also has an optional realm attribute. The challenge attribute is a base64url string that must be unique for every 401 HTTP response. The max-age attribute defines the time in seconds during which responses to the challenge can be accepted. The realm attribute can appear only once to indicate the scope of protection.


  • pub: UA generated Public Key
  • kidtype: The key type
  • kide: The Public key ID
  • didtype: Device Type
  • did: Device id
HTTP Header:
  • Authentication = HOBA
  • challenge = [generated_challenge]
  • max-age = [expiration_time]