W3C home > Mailing lists > Public > public-credentials@w3.org > November 2016

Re: Ditching passwords / email identifiers

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Thu, 24 Nov 2016 13:45:09 +0000
Message-ID: <CAM1Sok0_Y7avVhst-L6oWB3x=vqC=Ebit4hDGKQOaKv9UaTVkw@mail.gmail.com>
To: Joerg.Heuer@telekom.de, marta@blockstream.io
Cc: jhprattdev@gmail.com, public-credentials@w3.org, msporny@digitalbazaar.com
Sorry for delayed response.

IMHO, seems like a simple and straight forward tool for the tool-chest.
Fits well into telecommunications intercept related laws.



On Fri, 25 Nov 2016 at 00:39 <Joerg.Heuer@telekom.de> wrote:

> … and many more options to be considered! These technologies are all fine
> in certain contexts – and not well applicable in others.
>
> I’d say we shouldn’t have to put our bet on one or the other technology,
> there will be even better ones to come – so ‘openness’ towards future
> developments seems a ‘must’ to me.
>
>
Principle concept is one-time-key is generated and sent from website to
account holder.  One of the use-cases that this benefits are sentive
accounts like banking accounts where users get spam saying they have to log
into their bank to protect their money or whatever, then the fake bank site
captures password details.

this way, no passwords exist...



>
> Cheers,
>
>                 Jörg
>
>
>
> *From:* Marta Piekarska [mailto:marta@blockstream.io]
> *Sent:* Dienstag, 22. November 2016 09:06
> *To:* Timothy Holborn
> *Cc:* Jacob Pratt; W3C Credentials Community Group; Manu Sporny
>
>
> *Subject:* Re: Ditching passwords / email identifiers
>
>
>
> Timothy,
>
> I like this idea in principle. Why do you think SMS message is the best
> carrier of such information?
>

SMS due to the telecommunications benefits.


>
>
> I'm aware of some efforts of doing same with Bluetooth or NFC.
>
>
>
BT has a H/W ID as does NFC.  SMS is a different (non IP based) network.


> Have a good day
>
> m
>
>
>
> --
>
> Security Architect @ Blockstream
>
>
>
> mp@blockstream.com
>
>
>
> +491703311307 <+49%20170%203311307> (Germany)
>
> +14159608938 <+1%20415-960-8938> (U.S)
>
> Signal, Wickr (martap).
>
>
>
> Sent from a mobile device, please excuse typos.
>
>
> On Nov 20, 2016, at 5:49 AM, Timothy Holborn <timothy.holborn@gmail.com>
> wrote:
>
>
>
> On Sun, 20 Nov 2016 at 15:22 Jacob Pratt <jhprattdev@gmail.com> wrote:
>
> Certainly an interesting idea. This could also take advantage of the
> increasing frequency of biometric sensors in mobile devices, eliminating
> the need for a code (or some other identifier). It would be much simpler
> than remembering a password, and much more secure for the vast majority of
> people.
>
>
>
> :)  thank-you.
>
>
>
> It also seems really v.simple to implement, and it's using existing
> functions so it should be relatively straight forward to standardise.
>
>
>
> I'd be interested in figuring out how this may relate to creds (from
> community spec to more recent diversifications).
>
>
>
> Other considerations is how this may provide an alternative to that in
> which is outlined in various VISA EURO related 'claims'.
>
>
>
> Could be paired with means for a QR Code to be generated at POS, linked to
> a credential orientated statement (for instance).
>
>
>
> Overall - I would be encouraged if the idea/s were further investigated.
>
>
>
> NB also (seperate yet similar): TimBL expressed his desire to see N3
> compatibility.  Manu was involved in a broader convo in relation to this
> consideration made.
>
>
>
> The broader context was a graph related issue with TTL and that N3 did not
> share this problem.
>
>
>
> I have been of the opinion for some-time that perhaps serialisations can
> live harmoniously somehow, perhaps where the stuff that TimBL's more
> focused on (ie: not web-payments or SEO related) should be supported in a
> way that is inclusive to his 'vision' alongside support for the 'status
> quo' herein, which seemingly moreover relates to payments related use-cases.
>
>
>
> I have had the difficult experience of having been in the middle of the
> serialisation wars; and whilst i'm cognisant that it was the javascript
> wars that led to W3C,
>
>
>
> I see some parts of this both healing and in continuum, unnecessary.
>
>
>
> As one of the very few (in context of the ~7 billion people on the planet)
> some of these issues seem to have been unnecessarily unfortunate.
>
>
>
> Tim.H.
>
>
>
>
>
> On Nov 19, 2016 11:05 PM, "Timothy Holborn" <timothy.holborn@gmail.com>
> wrote:
>
> had an idea that for places where mobiles are ubiquitous, the means in
> which to ditch passwords and email related AUTH could be facilitated by
> simply providing SMS authentication (or mobile app alternative) which
> in-turn means no password is stored for the account at all...
>
>
>
> mobiles are increasingly used for banking, simply by tapping them on a
> payment gateway (via NFC).
>
>
>
> people barely need to use their passwords to get into a password protected
> site, and a great many people have difficulty remembering them or keeping
> them safe.
>
>
>
> alot of email providers are internationally based (whereas mobiles come
> under telecommunications law, including the misuse of them) and in some
> regions at least - the receipt of a sms does not cost the recipient funds.
>
>
>
> i am aware of a few problems with that method, including company owned
> mobiles, lost phones, etc.
>
>
>
> yet,
>
>
>
> i figured it was an idea worth noting.  may be an opportunity within the
> general space.
>
>
>
> Tim.H.
>
>
Received on Thursday, 24 November 2016 13:52:37 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:32 UTC