Re: Mikes request that we identify an upper limit on the number of digits

Hi Alistair

Web authentication specification standardizes how to offer alternatives, but you can offer alternative logins without using the specification.


For example, https://ecas.ec.europa.eu/cas/login?loginRequestId allows you to choose between a using a long password , their app with a pin, their app with a QR code (conferment alternative) mobile phone with sms, mobile phone with token (conferment alternative) , token (conferment alternative)


My email provider lets you log in with alternative mechanisms as well.


All the best

Lisa Seeman

LinkedIn, Twitter





---- On Tue, 28 Nov 2017 20:00:00 +0200 Alastair Campbell<acampbell@nomensa.com> wrote ---- 

      Hi Lisa,
  
 > LS: there are lots of ways to do this securely. such as…
  
 I covered this in the email yesterday, but there are two types of implementations we are confusing:
  
  Hardware / apps that supply the secure token / biometrics
Browser support that connects to those secure devices.
  
 WebAuth is the right standard to refer to, but the current browser support is Chrome-only, and that is desktop-only as the U2F devices generally use USB.
  
 Is there another way that I’m missing? Otherwise I can’t see how we could get 2 implementations (which is probably why WebAuth is still in draft).
  
  
 > there are thousands of conforming sites. examples of conforming sites That I use only yesterday include:  the w3c and the EU site for research funding which allows multiple log in methods
  
 I’m confused about that as I was given a password for W3C which I have to type in every time. (Well, I use lastpass, but we seem to be ignoring auto-filling password tools).
  
 I assume those are sites which let you reset email, for which my question was: Is the intent that the email reset logs you in automatically? 
 A typical implementation would have you copy the new password into a username/password form to login, which I wouldn’t have thought conforms?
  
  
 > Any level of security can be reached. including use of tokens and dongles , smartcards etc.
  
 But we haven’t shown that for *web content*, I don’t think “use desktop chrome” is a good answer here.
  
 Also, how do you get past the username/password bit? You can set the second factor to remember your device for a set time (usually 30 days), but at some point you would still have to login with a password and with the 2nd factor, otherwise there is no security
  
 Then the last (more complex) level, how do you conform if you are the email-provider? If you can’t provide an email-loop, and you use 2FA, I can’t see how that would work in theory, let alone practice.
  
 If this is getting a security review, can we make sure that is considered? Otherwise it is very hypothetical.
  
 Cheers,
  
 -Alastair
  
 
 

Received on Tuesday, 28 November 2017 18:46:10 UTC