As many have noted, this scheme is simple only because its only goal is to replace passwords, while seemingly ignoring even common security threats. Reminds me of TripleSec: https://news.ycombinator.com/item?id=9655245
I agree that the proposed solution has many flaws, and that PAKE is much more promising than any plain password-based scheme. As another commenter pointed out, OPAQUE is very interesting.
I just wish browsers natively supported that authentication scheme to further defend against phishing and other attacks where the javascript implementation can be replaced.
I just wish browsers natively supported that authentication scheme to further defend against phishing and other attacks where the javascript implementation can be replaced.