[Cryptography] secure authentication ... as opposed to passwords
Marshall Pierce
marshall at mpierce.org
Thu May 10 15:40:26 EDT 2018
On 05/09/2018 04:59 PM, Jerry Leichter wrote:
> But there's actually an opportunity here, if we were to choose to seize it. Imagine that the major browser makers coordinated on the following steps:
>
> 1. Define a standard mechanism by which servers could ask for authentication information. How and what form would be delivered would be specified in the request. To ease adoption, a returned username and password would be available; but better methods would be included: PAKE, some kind of challenge/response - not a long list of possibilities, but other *good* methods that we would hope to evolve to.
This sort of thing seems to be what WebAuthn
(https://www.w3.org/TR/webauthn/) is trying to do, a more web-flavored
version of FIDO U2F, which was previously Chrome-only IIRC. It's
shipping in Firefox, Chrome, and Edge
(https://caniuse.com/#search=webauthn) and Dropbox has announced support
for it
(https://www.dropbox.com/help/security/enable-two-step-verification#securitykey).
-Marshall
More information about the cryptography
mailing list