Friday, February 16, 2018

We were discussing identity management without login screens.
If we can persist a token/passcode/password/private-keys/HTTP-Links for the user to login in a blockchain like database, we will have no need to maintain or manage these ourselves. Alternatively, we could consider using encryption-decryption-based and server issued-and-verified claims but without requiring a centralized server.
We refer to detail discussion here: https://1drv.ms/w/s!Ashlm-Nw-wnWtTfVe0YlXo5LKceK
Today we discuss how servers can help mitigate password rememberance for customers. In particular we discuss http links instead of codes. The notion of server issued one time authentication links is effectively demonstrated by Slack.
When the application is launched on the mobile device by the user, she is displayed a button to request Slack to send a link.Slack then seems to generate a random code that is the equivalent of a one time passcode and this is passed as a html link for the user to click, When the link appears on the mobile device either using SMS or push notification, the html link then propagates to the web view of the application as a launch parameter. The server generate code is not a replacement for OAuth tokens and may very well be used in conjunction with that protocol but the notion that we can display an html link which is far more convenient to the user than an OTP code is definitely an improvement in that sense. Most SMS applications and push notifications are able to differentiate when a link is sent. Although those applications may not be secure, the server generated code is definitely unique and cannot be spoofed. If the server issues these codes just the same way as tokens, it may be considered secure. An initial onetime registration step may alleviate redundant routine during each sign on and in that sense, the security of this mechanism can be hardened.

No comments:

Post a Comment