Re: Strong authentication for PayPal versus WebPayments

On 16/05/14 17:32, Dave Longley wrote:
> On 05/16/2014 05:33 AM, Dave Raggett wrote:
>
>> If an attacker has fooled users into disclosing their email address and
>> passphrase, how does the identity provider differentiate the attacker
>> from users trying to login from a new device?
> The email address and passphrase are not used (or are insufficient) to
> log into the Identity Provider. A separate password (or similar secret)
> must be used. An attacker must also be able to masquerade as the
> identity provider itself and steal this information (as is the case
> today for logging in via Google, Facebook, etc.). Various forms of
> N-factor authentication could be required by the identity provider in
> order to register a new device. This doesn't have to be part of the
> standard itself, but is value add for an IdP.

One such factor is to allow users to register a new device with the help 
of a previously registered device. For example, by asking the user to 
key in a one time PIN sent to the previously registered device. However, 
if this is the first device to be registered, or if the user doesn't 
have access to previously registered devices (given away, sold, broken, 
lost, or stolen), we need another solution. Note this also shows that we 
need a mean to unregister devices.

Another idea would be to rely on an additional identity provider, that 
can attest that you are who you say you are in respect to certain 
attributes you claim. Further ideas include hardware tokens, biometics 
and so forth.

The upcoming W3C workshop on stronger authentication (September, 10-11, 
Mountain View) will be an opportunity to discuss this further, and 
hopefully will lead to standardization in a rechartered webcrypto 
working group.  Here is the draft page for the workshop:

    http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/

-- 
Dave Raggett <dsr@w3.org> http://www.w3.org/People/Raggett

Received on Saturday, 17 May 2014 10:08:07 UTC