HackerTrans
TopNewTrendsCommentsPastAskShowJobs

will1james

no profile record

comments

will1james
·2 tahun yang lalu·discuss
> It's even weird for you to do login-with-Google or SIWA.

What is "SIWA"?
will1james
·2 tahun yang lalu·discuss
What are the other potential problems of the "email is authentication" pattern, under the following prescribed conditions? Maybe just these two?

(Prescribed Conditions)

- "Credential Recovery" complies with OWASP ASVS and is "adequately secure".

- "Credential Recovery" is the "weakest link" of authentication. (Other authentication methods require TOTP, etc.)

(Potential Problems)

- The financial cost of sending emails.

  - my guess is that, since I could not find of news of this issue,
    these users are only a small percentage (hopeful not yet)
- End-to-end response time for the "Credential Recovery" authentication process

  - my guess is that users who choose "Credential Recovery"
    authentication over other "happy-path" authentication are willing
    to wait, or are use to waiting.
(Non-problems)

- If the above conditions are specified, authentication security is not compromised.

(Terms)

- "Credential Recovery" as in OWASP ASVS V2.5 Credential Recovery, or "Self-service password reset" as in Wikipedia, or "forgot password" flow.

https://en.wikipedia.org/w/index.php?title=Self-service_pass... https://owasp.org/www-project-application-security-verificat... https://github.com/OWASP/ASVS/raw/v4.0.3/4.0/OWASP%20Applica...

- "adequately secure" as in NIST SP 800-160 Vol. 1 Rev. 1, 3. System Security Concepts, 3.2. The Concept of an Adequately Secure System.

https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...