Hello Folks,
I wonder if there is a 
reason a "Signed Password Authentication" option would not be a good 
idea in jetty...The basic concept is to allow users to authenticate with
 their password along with a signature using a locally stored private 
key, authentication on the server would involve verifying the signature 
against a stored public key.
Adding this to Jetty is a trivial matter. Basically add a few columns to the "users" table:
_publicKey (user's public key)
_enableSignedPasswordAuth (true/false per user)
_signatureTimestampDelay (max delay between client submission and server auth...this can be set globally as well)
Of course add the signature verification logic, maybe to JDBCLoginService.java
Add configuration option for enabling the feature globally, allow for algorithm specification.
One
 major issue to be addressed is how to migrate private keys to other 
devices when user needs to authenticate from various devices. However 
this is an application level concern and should have no bearing on 
adding this option to Jetty.
I penned a blog post on this: 
http://blog.crudzilla.com/2015/07/why-not-signed-password-authentication.htmlI think this is an easy approach that can significantly improve password security.
-Edmond