It's a nice idea, but their implementation proposal is lame. They keep depending on a phone like a phone is secure or ubiquitous (of which it is neither) or on keyfobs or "gestures" (of which the former nobody will use, and the latter is just a less secure password).
They rely on public key auth, which is more complicated and less reliable than a simple TOTP token. Considering that web browsers already support public key authentication but nobody uses it because their design is a UX garbage fire, I don't think that scheme will work well.
Other things are problematic too, like scripts (rather than the web server) having control of the process; this is an unnecessary attack vector. They also depend on browser-specific technology which limits how this system can be extended to other clients. This spec was clearly written by a JS developer, for JS developers.
This should not be a "web standard". Service providers that need strong authentication for HTTP don't only use web browsers. It will be more useful to be able to support existing applications through the use of an HTTP extension, rather than updating every single web app in the world to support this scheme.
In fact, now that I think of it, you could tack TOTP onto existing HTTP authentication right now! Just allow "TOTP:<token>" as a password entry. I don't know why I didn't think of that before.
They rely on public key auth, which is more complicated and less reliable than a simple TOTP token. Considering that web browsers already support public key authentication but nobody uses it because their design is a UX garbage fire, I don't think that scheme will work well.
Other things are problematic too, like scripts (rather than the web server) having control of the process; this is an unnecessary attack vector. They also depend on browser-specific technology which limits how this system can be extended to other clients. This spec was clearly written by a JS developer, for JS developers.
This should not be a "web standard". Service providers that need strong authentication for HTTP don't only use web browsers. It will be more useful to be able to support existing applications through the use of an HTTP extension, rather than updating every single web app in the world to support this scheme.
In fact, now that I think of it, you could tack TOTP onto existing HTTP authentication right now! Just allow "TOTP:<token>" as a password entry. I don't know why I didn't think of that before.