Security overview
Security Considerations for Signature based Authentication
As opposed to other authentication systems where either a session ID or an authentication token is used to maintain the authentication; our system is using a signature and a key ID to maintain the authentication. For all intents and purposes it is very similar to the session based authentication because it still needs a way to identify the user who signed their request and hence identify their key. This will then be used to check whether the signature on their request is indeed matching its contents and the authentication is considered successful only when this signature is validated.
As one may understand from this, the authentication is indeed, way more secure just based on the fact that it goes one step further and rather than simply identifying the user, it also makes sure that the user does indeed have the secret key (private key) which was attached to their authentication session, and they did sign the request that was sent to your server.
Similarities with other protocols
In principle our two authentication methods have some similarities with other more or less known authenticated key exchange protocols. For the case of our code based authentication, where the user is presented with a code via an out of band transportation (email, or as we plan for the future, SMS and even WhatsApp) the system bears resemblances to PAKE family of key exchange mechanisms (PAKE, J-PAKE, CPAKE and other similar ones).
In our situation the system uses different cryptographic principles mostly based on signed exchanges and encryption, but the main idea behind the whole system stays the same: the code (one time password) sent over the out of band communication method, is used in a complex algorithm to make the authenticated key exchange. The result of this, is the fact that both Zalter and your user end up with a public signature key from the other party, meanwhile each of the parties keep their own private signature key so that they can verify themselves by signing their messages.
The other main authentication method; the link based authentication, is very similar to a simple out of band key sharing authenticated key exchange. Meanwhile it's an even simpler algorithm it has a much higher security level. The basic principle of this authenticated key exchange is somewhat similar to the one employed by SSH where the keys are shared out of band or simply physically. In this situation the key is sent by email as an anchor link (browsers do not send these over the wire) and a short and effective process takes place to exchange the two signature keys and confirmation signatures. Just like in the first case the end result is that both parties have each others public signature key.