[Cryptography] So please tell me. Why is my solution wrong?
Bill Cox
waywardgeek at gmail.com
Wed Feb 8 02:58:48 EST 2017
On Tue, Feb 7, 2017 at 5:23 PM, Natanael <natanael.l at gmail.com> wrote:
>
> Also, it would work better if it used trusted inputs mixed with phishing
> proof authentication protocols like FIDO's U2F / UAF that binds the
> authentication response to the TLS session, blocking replay attacks and
> MITM. This way the user secret isn't useful anywhere outside his own
> browser.
>
FIDO is great solution for corporate settings where people can put up with
2FA. I think the secret picture idea is only for 1FA settings, which
unfortunately are the majority of corporate settings.
> In your scheme (if I read it right), a user just have to be forgetful once
> and it fails. Sending plain passwords is a dated solution that should be
> deprecated.
>
With a FIDO Yubikey, my password can be simpler, maybe just a PIN, but a
PIN is just a simple password. My phone uses a fingerprint, but still
makes me type in the password every few days. In other cases, I get
perma-cookies that authenticate me forever, but then I forget the password
and the next time I use a different browser or device, I have to go through
the password reset process. It's a mess.
Here's a dumb idea for improving the situation slightly until that day when
passwords are finally retired. Web sites should state the password
requirements on the login form. I wind up resetting passwords about twice
a week, and more often than not, when I see the change password form, I
remember the old one.
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170207/f350c7c0/attachment.html>
More information about the cryptography
mailing list