[Cryptography] Order of username and password entry
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Apr 6 09:34:00 EDT 2021
Natanael <natanael.l at gmail.com> writes:
>Let the user enter their username, then demand 2FA verification (such as
>WebAuthn), THEN ask for their password to confirm.
Absolutely, since you need this to prevent both credential-stuffing and DoS
attacks. The credential-stuffing is obvious, the DoS is possible if the
submission is done in two stages, submit the username and password but not the
2FA until all the logon sessions are tied up. Lots of sites do this two-step
dance, and invariably and get it wrong.
There are actually quite a number of ways you can get the use of password +
2FA wrong, I'm not aware of any guidance out there on how to safely apply it,
just "here is some 2FA, everyone should use it".
Peter.
More information about the cryptography
mailing list