Re: working on re-authentication

Thanks, Lisa.

Gregg, do you see a problem with any what Lisa listed has below for
being sufficient author techniques for this SC?

Kindest regards,
Laura

On 12/20/17, lisa.seeman <lisa.seeman@zoho.com> wrote:
> Hi Laura
>
> Among the sufficient techniques are allowing any one of the following:
>
>
> Complying to https://www.w3.org/TR/webauthn/ and allowing one component
> method such as biometrics , FIDO or tokens
>
> A cheap and easy way is "logon via facebook" (being already logged in to
> third-party authentication services ).
>
> Using  multi-factor identification with Bluetooth or generate a RC code (on
> the browser) or simply send a link. I have sent links in other emails to
> places that do multi-step authentication in fully conformant ways. Also you
> can use what ever way you want as long as there is an alternative that is
> conformance
>
> Automatic user authentication based upon the use of a trusted device (to
> which the user has already logged in with their own identity);
>
> Fast IDentity Online (FIDO), password-free standards for typical and
> two-factor authentication.
>
> FIDO relies upon user authentication based upon a user's device (e.g.,
> phone, tablet, computer).
>
> A user's device registers the user, to a server, via a public key.
>
> Upon a challenge from the server, the user's device responds with a private
> key.
>
> The device's keys are unlocked by the user biometrically (e.g., fingerprint
> scanner) or by a button press, not by a password.
>
> Allowing the user to reset a password by pressing a link sent to them in an
> SMS or email.sms, which brings the user to a page that provides the
> opportunity to create a new username and/or password
> Being compatible with password managers that allow user login with one of
> the above techniques.
>
>
>
> All the best
>
> Lisa Seeman
>
> LinkedIn, Twitter
>
>
>
>
>
> ---- On Wed, 20 Dec 2017 19:39:30 +0200 Laura
> Carlson&lt;laura.lee.carlson@gmail.com&gt; wrote ----
>
> Hi Gregg and Lisa,
>
> I think it may come down to techniques. Lisa, what author techniques
> for this SC are in the works?
>
> Thanks.
>
> Kindest Regards,
> Laura
>
> On 12/20/17, Gregg Vanderheiden GPII &lt;gregg@raisingthefloor.org&gt;
> wrote:
> &gt; I still don’t see how you can require an AUTHOR to provide an
> authentication
> &gt; method ( or re-authentication — which is authentication) without
> requiring
> &gt; any information beyond publicly available information ( not good for
> &gt; authenticating) or their country ID (which I would NOT want to give to
> any
> &gt; and all websites that have sign in.
> &gt;
> &gt; As such this SC is not implementable by authors since the only solution
> to
> &gt; it is biometrics - which a page author cannot do.
> &gt;
> &gt; Am I missing something?
> &gt;
> &gt; G
> &gt;
> &gt;
> &gt;&gt; On Dec 20, 2017, at 11:30 AM, lisa.seeman
> &lt;lisa.seeman@zoho.com&gt; wrote:
> &gt;&gt;
> &gt;&gt; Hi Alastair
> &gt;&gt;
> &gt;&gt; The reason it might be ok to allow transcribing etc at sign up, is
> that it
> &gt;&gt; might be reasonable for someone to get help the first time they use
> the
> &gt;&gt; site, but completely unreasonable to expect the user to have help
> each
> &gt;&gt; time they sign in. It is a compromise if people felt that we have
> to allow
> &gt;&gt; people to copy in a code first time. (Which is why i thought you
> had tried
> &gt;&gt; to limit the scope to re-authentication. )
> &gt;&gt;
> &gt;&gt; If we can live without the exception that is better.
> &gt;&gt;
> &gt;&gt; All the best
> &gt;&gt;
> &gt;&gt; Lisa Seeman
> &gt;&gt;
> &gt;&gt; LinkedIn &lt;http://il.linkedin.com/in/lisaseeman/&gt;, Twitter
> &gt;&gt; &lt;https://twitter.com/SeemanLisa&gt;
> &gt;&gt;
> &gt;&gt;
> &gt;&gt;
> &gt;&gt;
> &gt;&gt; ---- On Wed, 20 Dec 2017 18:08:08 +0200 Alastair
> &gt;&gt; Campbell&lt;acampbell@nomensa.com&gt; wrote ----
> &gt;&gt; Hi Andrew,
> &gt;&gt;
> &gt;&gt; I agree we should be able to answer those, I just updated the wiki
> page
> &gt;&gt; and I think this version helps:
> &gt;&gt; ————-
> &gt;&gt; Re-authentication processes do not rely upon the user to do any of
> the
> &gt;&gt; following:
> &gt;&gt;
> &gt;&gt; - memorize information;
> &gt;&gt; - perform calculations;
> &gt;&gt; - reliably produce gestures;
> &gt;&gt; - transcribe information.
> &gt;&gt;
> &gt;&gt; Exceptions:
> &gt;&gt;
> &gt;&gt; - Re-authentication process can rely on the user or user-agent
> entering
> &gt;&gt; personal identification information such as name, username,
> address, email
> &gt;&gt; address or national identification number if the web content does
> not
> &gt;&gt; block automatic entry.
> &gt;&gt;
> &gt;&gt; - There are governing statutory requirements that require the use
> of
> &gt;&gt; memorisation, calculations, gestures or transcription in
> re-authentication
> &gt;&gt; processes.
> &gt;&gt; —————
> &gt;&gt;
> &gt;&gt; On your questions:
> &gt;&gt; &gt; 1. Regarding user’s abilities to memorize information, don’t
> browser/OS
> &gt;&gt; &gt; capabilities or separate tools (e.g. splash ID, LastPass, etc)
>
> &gt;&gt;
> &gt;&gt; I think the first exception covers that now, and yes, I think we
> need to
> &gt;&gt; except that is a user-agent &amp; education issue rather than
> content, so long
> &gt;&gt; as content doesn’t prevent their use (which is also accepted
> security best
> &gt;&gt; practice, despite certain banks thinking otherwise).
> &gt;&gt;
> &gt;&gt; &gt; Regarding the ability to transcribe information, this
> includes:
> &gt;&gt;
> &gt;&gt; Anything where you see/hear characters and have to type them in
> &gt;&gt; somewhere.
> &gt;&gt;
> &gt;&gt; &gt; Regarding the ability to transcribe information, what kind of
> barrier
> &gt;&gt; &gt; does this create for users – is it a complete barrier or
> something less?
> &gt;&gt; &gt; In one of the current options it seems that transcribing a
> one-time code
> &gt;&gt; &gt; is ok for the first time – why is it not a barrier the first
> time but is
> &gt;&gt; &gt; a barrier after that?
> &gt;&gt;
> &gt;&gt; In usability testing, which wasn’t exactly on this, but close as we
> gave
> &gt;&gt; people made-up information to type in as part of usability testing,
> it can
> &gt;&gt; take 5-10 seconds per character, if they are patient and motivated.
> The
> &gt;&gt; typical time-based-one time code is 6 characters to type in within
> 30
> &gt;&gt; seconds.
> &gt;&gt;
> &gt;&gt; We can discuss degree, but personally I’ve seen enough to know it
> is a
> &gt;&gt; real issue and any transcription will prevent some people from
> completing
> &gt;&gt; that task.
> &gt;&gt;
> &gt;&gt; I don’t think we were saying some transcription is ok the 1st time,
> but
> &gt;&gt; that you could set/reset your password? Not sure where that came
> from. In
> &gt;&gt; the above SC text you can:
> &gt;&gt; - rely on a password manager so long as you don’t block it.
> &gt;&gt; - use a magic-link or email loop password reset.
> &gt;&gt; - use webauth for 2nd factor.
> &gt;&gt;
> &gt;&gt; &gt; It seems that there is a possible conflict with 1.1.1. In that
> SC there
> &gt;&gt; &gt; is language about using CAPTCHA, which is sometimes used as
> part of an
> &gt;&gt; &gt; authentication process.
> &gt;&gt;
> &gt;&gt; *Generally* I’ve seen it used in account creation rather than
> &gt;&gt; authentication, but I guess that can happen.
> &gt;&gt;
> &gt;&gt; &gt; It seems that providing a multi-modal approach which uses but
> doesn’t
> &gt;&gt; &gt; rely exclusively on visual CAPTCHA is ok under 1.1.1 but may
> be
> &gt;&gt; &gt; forbidden in this SC?
> &gt;&gt;
> &gt;&gt; Yes, as that involves transcription (which can be either visual or
>
> &gt;&gt; auditory, I don’t think we can discriminate here ;-)
> &gt;&gt;
> &gt;&gt; So I think it prevents CAPTCHA for being used for
> re-authentication, but
> &gt;&gt; not account creation or authenticating the 1st time in a browser. I
> think
> &gt;&gt; there is good argument for that, as CAPTCHA should not be used if
> you have
> &gt;&gt; already proven you’re not a robot.
> &gt;&gt;
> &gt;&gt; The current 2.0 SC is still useful for the multi-model aspect.
> &gt;&gt;
> &gt;&gt; &gt; Are there examples of sites that currently pass the proposed
> SC language
> &gt;&gt; &gt; without relying on the exceptions?
> &gt;&gt;
> &gt;&gt; Yes, in the above form just having a username/password is fine. If
> you
> &gt;&gt; block pasting then you’d need to provide an email alternative.
> &gt;&gt; With second factor it gets more difficult, as you need to off-load
> the 2nd
> &gt;&gt; factor onto an OS/hardware device, which Chrome supports now, and
> others
> &gt;&gt; support soon. As Chrome supports webauth now I assume there are
> some
> &gt;&gt; google sites which support it, and as it can be used as an
> alternative
> &gt;&gt; method (e.g. time-based code OR webauth), I’m sure we can find
> some.
> &gt;&gt;
> &gt;&gt; Cheers,
> &gt;&gt;
> &gt;&gt; -Alastair
> &gt;&gt;
> &gt;&gt; PS. The 10 years of listening to security podcasts are finally
> coming in
> &gt;&gt; useful!
> &gt;&gt;
> &gt;&gt;
> &gt;&gt;
> &gt;
> &gt;
>
>
> --
> Laura L. Carlson
>
>
>
>
>
>
>
>


-- 
Laura L. Carlson

Received on Wednesday, 20 December 2017 19:22:04 UTC