- From: Anders Rundgren via GitHub <sysbot+gh@w3.org>
- Date: Thu, 15 Jun 2017 07:07:19 +0000
- To: public-web-nfc@w3.org
Although the use case has been dismissed, I promised a more complete description for review. ![nfc-qr-repl](https://user-images.githubusercontent.com/8044211/27169160-fffc4ee0-51a8-11e7-973b-a4450beaa3aa.png) Assumption: _The Service, PC, and Phone are free from malware interfering with the devised scheme_. The security of this scheme is based on multiple factors: - Public key cryptography exposes no static secrets to attackers - One-time challenges limit attacks to the specfic session - Session cookies, only known by the Service and the user's PC (Browser), render intercepted NFC or authentication objects useless outside of the user's PC - Intercepting and rewriting RF data on-the-fly appears to be quite difficult - The Web Security context provided by the NFC solution in conjunction with signing thwarts basic "phishing" attacks - The user must perform an action in order to authorize a login The original (and possibly updated) document is available at: https://cyberphone.github.io/doc/research/nfc-based-qr-replacement.pdf -- GitHub Notification of comment by cyberphone Please view or discuss this issue at https://github.com/w3c/web-nfc/issues/128#issuecomment-308647894 using your GitHub account
Received on Thursday, 15 June 2017 07:07:26 UTC