Re: [webauthn] Add support for SRP (or some other PAKE) in WebAuthn (#1960) from Firstyear via GitHub on 2023-09-08 (public-webauthn@w3.org from September 2023)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Fri, 08 Sep 2023 22:06:33 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1712275785-1694210791-sysbot+gh@w3.org>

The security issues around passwords are not resolved by things like PAKE. You are assuming the threat is MITM or theft of the stored pw hashes.

The real threat is phishing, social engineering, and bruteforce. This suggestion does nothing to address any of the real threats against passwords.

I think there is no interest to add or support PAKE in Webauthn since this would be a huge departure from the current definition of the specification. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1960#issuecomment-1712275785 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 8 September 2023 22:06:35 UTC