[Cryptography] secure authentication ... as opposed to passwords
jamesd at echeque.com
jamesd at echeque.com
Tue May 8 18:15:45 EDT 2018
On 5/8/2018 5:39 AM, John Denker via cryptography wrote:
> On 05/07/2018 06:11 AM, Bill Frantz wrote:
>>
>> Are there any schemes that we should consider?
>
> Executive summary: Zero knowledge proofs!
...
>
> 5) Zero-knowledge authentication. Don't frame
> it as a password problem! Frame it as an
> authentication problem, then do it properly.
> Just as easy to use and in all ways better
> than (3) or (4).
>
> If the server never sees the password, even
> temporarily, then it can't compromise the
> password.
>
> Code to do this sort of thing already exists.
UI issue: Zero Knowledge Authentication should occur in the chrome, not
in a web page issued by the server that can easily be emulated by any
other server.
The window in which you type anything that the attacker might want to
steal should look and act differently from anything that the attacker
can easily fake.
More information about the cryptography
mailing list