[Cryptography] secure authentication ... as opposed to passwords
John Levine
johnl at iecc.com
Tue May 8 21:51:42 EDT 2018
In article <b2ec3a64-8e34-deb7-e24e-67ce81ffd2c3 at echeque.com> you write:
>UI issue: Zero Knowledge Authentication should occur in the chrome, not
>in a web page issued by the server that can easily be emulated by any
>other server.
Every study I have ever seen says that typical users do not understand
a model where one part of the screen is semantically different from
another. If it looks like a lock they'll assume it's secure (whatever
"secure" means this week.) If it looks like a password box, they'll
type a password into it.
I can imagine approaches like a dongle with a totally non-programmable
UI (my bank has sent me a few of those) but they are all expensive and
usually harder to use than the familiar but not very secure schemes.
R's,
John
More information about the cryptography
mailing list