[Cryptography] Possible reason why password usage rules are such a mess
Osman Kuzucu
bizbucaliyiz at hotmail.com
Mon Dec 14 01:06:37 EST 2020
Phillip Hallam-Baker <phill at hallambaker.com> şunları yazdı (22 Nov 2020 19:40):
Those types of check are better than nothing but not really providing very much security and introducing an incredible level of user aggravation. Password authentication is beginning to fail in the same way that email is now failing as a result of countless ad-hoc attempts to mitigate spam.
The argument I am making is that we need to design an infrastructure for this express purpose rather than continue to try to cobble together 'good enough' security based on what inevitably turn out to be half-assed guesses as to what security is actually being achieved.
IP addresses change regularly. Users make use of different browsers on the same machine. SMS is not secure in any shape or form, SS7 hijacking is a trivial technical challenge yet it is depended on, etc. etc.
Time to do the job right.
Turkish Government has a solution called “E-imza” which is a centralized digital signature solution type of thing. I don’t know if such thing exists on other countries but here what they do is that they provide a X.509 compliant certificate for the citizen and then put this certificate and some additional keys (I couldn’t find any technical document which explains what type of additional keys) in a USB stick and ship it to the citizen. Later the citizen can legally sign documents using again another central app to authenticate themselves with the USB stick. Medical doctors now write prescriptions with this technology and many other professions started adopting this.
The approach here is better than using passwords. However, due to the manufacturing process of the USB stick, it is time consuming and expensive process. Perhaps an open sourced decentralized authentication solution that provides certificates to individuala could be the way to go. Then the apps would have to adopt the technology, and perhaps make the user sign a randomly generated text by the app with the timestamp. Upon verifying the signed message, authorize the user.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20201214/6a02a932/attachment.htm>
More information about the cryptography
mailing list