[Cryptography] Follow up on my password replacement idea

Ilya Kasnacheev ilya.kasnacheev at gmail.com
Tue Sep 22 18:03:35 EDT 2015

Thank you for the link.

Regarding user experience problem. I don't think there's an universal
solution. I think there's a number of small solutions and best practices
which together should make users' life bearable and predictable in exchange
to some extra effort on their part.

Bank accounts - I guess they already require 2 factor auth, in my
experience in form of text (SMS) messages. When you login, they send you a
text with a number, you input that number thus proving that you control
your cell number.
Of course this fails in case the attacker steals your phone and knows where
your account is. This only protects desktop from being compromised.

Logging in should be as painless as possible, but for dangerous operations
we could ask user for 2nd step confirmation. Dangerous operations are, for
example, account deletion.

All operations that are not dangerous and not require 2nd step confirmation
should be easily reversible. Reverting the damage should be cheaper than
inflicting damage, this way attackers are dissuaded from investing effort.

In future there will be big scandals regarding to cybercriminals making use
of huge (login, password) databases they already have, trying those pairs
on various services and inflicting dollar of losses while making a cent in
profits. Here we will see interest in more secure authentication coming
from the common folk.

I also had a few talks and had more insight: Some people don't care about
passwords that much. They care about their email and maybe primary social
network but not about 100+ random accounts over the net that they
Some people like to logoff from services after they finish using them
(tricky with my scheme)
Those who at least care about their e-mail are quite happy with existing
2fa like Google provides.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150923/e81d9ef4/attachment.html>

More information about the cryptography mailing list