|
|
|
|
|
|
by bluegate010
3871 days ago
|
|
|
An issue with passwordless is its vulnerability to passive attack. From perusing the source code, it looks like they authenticate users based on a token and uid embedded in a link sent to the user's email address. If that link is intercepted, an attacker can impersonate the user. A system that addresses this drawback is SAW [1, 2]; it splits a token in half (via XOR) and sends part of it to the user as a cookie, and part to the user's email address. Clicking the link combines the two and submits them both to the server for validation. [1] http://isrl.byu.edu/pubs/pp1001.pdf (short)
[2] http://isrl.byu.edu/pubs/saw.pdf (long) |
|
|