[Cryptography] [FORGED] Re: So please tell me. Why is my solution wrong?

Theodore Ts'o tytso at mit.edu
Thu Feb 9 13:07:33 EST 2017


On Thu, Feb 09, 2017 at 05:05:38PM +1000, James A. Donald wrote:
> To untrain them, you need to stop people from being asked to enter their
> passwords into a wide variety of UIs - you not only need to provide a
> password user interface to a zero knowledge password proof, where both
> parties prove knowledge of the password without giving it away, the state
> has to prohibit its subjects, or perhaps the business its employees, or
> perhaps Clinton her co-conspirators, from using any software or service that
> uses any other interface to enter a password.

Or you set a domain-level policy that says Google will only accept the
user's password in combination with a tap on a FIDO Universal 2nd
Factor device which just barely juts out of the user's USB port.  If
John Podesta had one of those, maybe we wouldn't be enjoying spoofs of
Press Secretary Spicer being played by Mellissa McCarthy in drag....


Best of all, this is available today.  Unfortunately it requires that
users pay anywhere from $10[1] to $50[2] dollars for a U2F key, which is why
it probably really only works at companies who can set a security
policy requiring users to use it.  (And then the companies can pay the
cost of supplying all of their employees with the U2F security key.)

[1] https://www.amazon.com/HyperFido-K5-FIDO-U2F-Security/dp/B00WIX4JMC/
[2] https://www.amazon.com/Yubico-Y-159-YubiKey-4-Nano/dp/B018Y1XXT6

     	    	  	    	     	      - Ted


More information about the cryptography mailing list