- From: Fredrik Tolf via GitHub <sysbot+gh@w3.org>
- Date: Fri, 08 Sep 2023 23:16:47 +0000
- To: public-webauthn@w3.org
Perhaps you are right. My main idea was that it would be quite nice for me, as a moderately security-conscious user, to be able to know for sure that, when I sign up for a service with PAKE over WebAuthn, the server never sees my password in plaintext, has no opportunity to store it in an insecurely hashed way or leak it in some other way. Also, to be able to use a PAKE-based password as last resort in the still not too uncommon situation where I don't have a FIDO authenticator available to me, in which case I would also think that such a scheme would make phishing more difficult, since the password entry would need to happen via the browser's UI, which shouldn't be possible to impersonate by a malicious site. -- GitHub Notification of comment by dolda2000 Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1960#issuecomment-1712327491 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 8 September 2023 23:16:49 UTC