We were discussing identity management without login screens.
If we can persist a token/passcode/password/private-keys/HTTP-Links for the user to login in a blockchain like database, we will have no need to maintain or manage these ourselves. Alternatively, we could consider using encryption-decryption-based and server issued-and-verified claims but without requiring a centralized server.
Today we continue discussing http links instead of codes. The notion of server issued one time authentication links is effectively demonstrated by Slack. This application presents a login button that dynamically fetches a login url from the server for that account on that device. It does away with the need to specify the password. An initial onetime registration step may alleviate redundant routine during each sign on and in that sense, the security of this mechanism can be hardened.
The http link issued from the server could be enhanced with a PIN that the user knows. This adds more security. This then becomes the equivalent of PIN and OTP code that the users specify.
The OTP code could also be generated from a local application or device if it was pre-registered with the authentication server.
So far we have elobarated on the following three components
1) user knowledge based component
2) server issued dynamic component
3) convenience factor
The last component above is the determining factor in why dynamic challenge questions cannot be a single and complete replacement to logins and passwords. The questions can be generated dynamically by the server such as from a list of ten questions that only the user can answer and the questions do not even need to have static answers, yet they cannot be as simple as the username and password. Moreover, people like to use their email or phone numbers for their username, something that does not seem likely to change although it adds to vulnerability by tying a centralized option for resetting all accounts.
#codingexercise
Find the maximum product of an increasing subsequence
Since the input is all positive, the longest increasing subsequence will also give the maximum product.
double GetProductIncreasingSubsequence(List<double> A, int n)
{
Debug.Assert(A.All(x => x >= 0));
var products = new List<double>();
for (int i = 0; i < n; i++)
products.Add(A[i]);
Debug.Assert(products.Length == A.Length);
for (int i = 1; i < n; i++)
for (int j = 0; j < i; j++)
if (A[i] > A[j] &&
products[i] < (products[j] * A[i]))
products[i] = products[j] * A[i];
return products.Max();
}
If we can persist a token/passcode/password/private-keys/HTTP-Links for the user to login in a blockchain like database, we will have no need to maintain or manage these ourselves. Alternatively, we could consider using encryption-decryption-based and server issued-and-verified claims but without requiring a centralized server.
Today we continue discussing http links instead of codes. The notion of server issued one time authentication links is effectively demonstrated by Slack. This application presents a login button that dynamically fetches a login url from the server for that account on that device. It does away with the need to specify the password. An initial onetime registration step may alleviate redundant routine during each sign on and in that sense, the security of this mechanism can be hardened.
The http link issued from the server could be enhanced with a PIN that the user knows. This adds more security. This then becomes the equivalent of PIN and OTP code that the users specify.
The OTP code could also be generated from a local application or device if it was pre-registered with the authentication server.
So far we have elobarated on the following three components
1) user knowledge based component
2) server issued dynamic component
3) convenience factor
The last component above is the determining factor in why dynamic challenge questions cannot be a single and complete replacement to logins and passwords. The questions can be generated dynamically by the server such as from a list of ten questions that only the user can answer and the questions do not even need to have static answers, yet they cannot be as simple as the username and password. Moreover, people like to use their email or phone numbers for their username, something that does not seem likely to change although it adds to vulnerability by tying a centralized option for resetting all accounts.
#codingexercise
Find the maximum product of an increasing subsequence
Since the input is all positive, the longest increasing subsequence will also give the maximum product.
double GetProductIncreasingSubsequence(List<double> A, int n)
{
Debug.Assert(A.All(x => x >= 0));
var products = new List<double>();
for (int i = 0; i < n; i++)
products.Add(A[i]);
Debug.Assert(products.Length == A.Length);
for (int i = 1; i < n; i++)
for (int j = 0; j < i; j++)
if (A[i] > A[j] &&
products[i] < (products[j] * A[i]))
products[i] = products[j] * A[i];
return products.Max();
}
No comments:
Post a Comment