[cryptography] more oneid stuff 2-factor when smartphone offline scenarios (Re: replacing passwords with keys is not so hard (Re: PBKDF2 + current GPU or ASIC farms = game over for passwords))

Adam Back adam at cypherspace.org
Tue Oct 1 16:55:11 EDT 2013

On Tue, Oct 01, 2013 at 04:28:01PM -0400, Jonathan Thornburg wrote:
>On Tue, 1 Oct 2013, Adam Back wrote:
>> The point is rather to switch to keys.  Check out oneid.com.  [[...]]
>> Its easy to use, just read the transaction confirmation on your smart phone
>> and click a button, thats the user experience.  [[...]]
>How do I use this if I'm somewhere with no cellphone reception?

If you're offline it wont work because you wont be able to obtain the server
contribution to go with the password you know for the KDF to unlock your
smartphone private key.  (Technically the key could be cached, but you
probably dont want to make that too lax or your device could be stolen in
unlocked state).

But the use case is to single signon to an online service so thats probably
not a (new) problem.  Not online = no access services you need web single
sign on for?  If you're online on your laptop via wifi you can probably (but
not 100%) get online with your smartphone.  (The gap being the very odd
wretched hotel that tries to charge for wifi by number of devices).

No particular support from oneid but in principle you could reverse tether
your smartphone to your laptop but the setup for that is not convenient for
novice users, and many wifi chipsets cant be a hotspot and client
simultaneously.  I guess there's stll bluetooth reverse tether, but again
not easy to setup for novice users and probably the reverse direction to
what handset and computer OS aim to support.

>How do I use this if my cellphone just broke down?

You get a replacement cellphone and pair it to your account.  It is possible
to chose to login to sites with a lower security margin, by flagging them to
be allowed to login with laptop only (making the smartphone unnecessary). 
However that is vulnerable to malware, and in oneid the relying party can
insist on having the smartphone level of security (and they can tell if
their policy was applied as there are 2 signatures in the challenge response
rather than 3).  You can also pair multiple smartphones/tablets to your
account, eg use your tablet or partner's smartphone if travelling together. 
I guess most people dont carry two smartphones, but smartphone + tablet +
laptop is maybe not that rare.

But otherwie I think for high security its the price you pay.  You dont want
targetted malware on your laptop to empty your bitcoin web wallet so you
have to tolerate the 2nd factor.  Its more useful than a OTP keyfob
(secureid and clones) because you can see the transaction details you are
authorizing.  OTP keyfobs can be repurposed by laptop malware to authorize
something different from what you think you are entering it for.

Try locking yourself out of your online banking while travelling by
forgetting a password.  An international cell call to their online support
etc is not much fun either.  The alternative has its failure modes as well
as being significantly insecure.

You'd wonder if oneid would be amenable to trying to be extremely open and
making reference implementation and open standard like openid if people
thought the idea is a net improvement.  That could be one way to overcome
selfish identity ownership thinking amongst relying parties.  And also it is
a fair concern from individual web developers of what happens to their login
mechanism if oneid went out of business.  The model actually open, that
anyone can run a federation server, analogous in that sense to openid.


More information about the cryptography mailing list