|
|
|
|
|
|
by cookiecaper
3342 days ago
|
|
|
This has been implemented before. I briefly maintained a legacy project that supported it via IE. In practice, it's a nightmare. Users constantly lose their certs and require manual re-auth. There was a complex install process to get the new cert in place. Usernames and passwords were still a thing; the cert was just to verify that you're coming from an authenticated computer. Something like your proposal may work if it involves a one-way hash of biometric data (fingerprint scan) so that people can't "lose their cert", but that comes with its own problems too. |
|
|
Such as biometrics make terrible passwords because they can't be changed. Once compromised (3d printed fingerprints anyone? [0]) then you are forever compromised. Just in case someone wanted an example of why biometrics are terrible.
[0] http://www.novetta.com/wp-content/uploads/2015/10/NovettaBio...