- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Thu, 12 Apr 2007 01:01:12 +0100
- To: michael.mccormick@wellsfargo.com
- CC: public-wsc-wg@w3.org
Just dipping in (and out:-) quickly, but I think this is an interesting aspect to think about. michael.mccormick@wellsfargo.com wrote: > The much maligned Mother's Maiden Name is an example of weak KBA … but > much stronger ones are possible using the enormous databases of personal > data that are available from brokers today. So I think the SPK > "anti-pattern" would benefit from being softened a bit to acknowledge > there's a place for it under certain conditions. While I agree with your overall point, I think the above paragraph implies that such schemes are problematic since they depend upon, and thus encourage, the collection of such databases. That has two problems, first, authentication schemes that are privacy unfriendly like this are (IMO) problematic, and second, they inherently create a very nice target DB - a good bit worse than e.g. a weak shared secret DB that's protected via EKE and maybe Ford-Kaliski sharing (sorry don't have a reference to hand - ask PHB). Stephen.
Received on Wednesday, 11 April 2007 23:59:51 UTC