- From: Anders Rundgren via GitHub <sysbot+gh@w3.org>
- Date: Fri, 16 Jun 2017 19:41:27 +0000
- To: public-webauthn@w3.org
cyberphone has just created a new issue for https://github.com/w3c/webauthn: == Cloud Based "Phone Token" Option == The following was not developed for WebAuthn but _may_ be usable anyway:  Assumption: _The Service, PC, and Phone are free from malware interfering with the devised scheme_. The security of this scheme is based on multiple factors: - Public key cryptography exposes no static secrets to attackers - One-time challenges limit attacks to the specfic session - Session cookies, only known by the Service and the user's PC (Browser), render intercepted NFC or authentication objects useless outside of the user's PC - Intercepting and rewriting RF data on-the-fly appears to be quite difficult - The Web Security context provided by the NFC solution in conjunction with signing thwarts basic "phishing" attacks - The user must perform an action in order to authorize a login The original (and possibly updated) document is available at: https://cyberphone.github.io/doc/research/nfc-based-qr-replacement.pdf Please view or discuss this issue at https://github.com/w3c/webauthn/issues/496 using your GitHub account
Received on Friday, 16 June 2017 19:41:33 UTC