[webauthn] Cloud Based "Phone Token" Option

cyberphone has just created a new issue for https://github.com/w3c/webauthn:

== Cloud Based "Phone Token" Option ==
The following was not developed for WebAuthn but _may_ be usable anyway:

Assumption: _The Service, PC, and Phone are free from malware interfering with the devised scheme_.

The security of this scheme is based on multiple factors:

- Public key cryptography exposes no static secrets to attackers
- One-time challenges limit attacks to the specfic session
- Session cookies, only known by the Service and the user's PC (Browser), render intercepted NFC or authentication objects useless outside of the user's PC
- Intercepting and rewriting RF data on-the-fly appears to be quite difficult
- The Web Security context provided by the NFC solution in conjunction with signing thwarts basic "phishing" attacks
- The user must perform an action in order to authorize a login

The original (and possibly updated) document is available at: https://cyberphone.github.io/doc/research/nfc-based-qr-replacement.pdf

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/496 using your GitHub account

Received on Friday, 16 June 2017 19:41:33 UTC