[coder543]

> If you're using a different computer from normal, and don't have a hardware token or don't have it with you, you can't use WebAuthn.

This applies to literally all authentication schemes that use something beyond a password, including TOTP and SMS codes. It’s also kinda the point. An attacker will have a much harder time impersonating you.

You can use WebAuthn with just the fingerprint reader on your laptop or smartphone, or FaceID on iPhone. You don’t need an external hardware token, but those do work as well. You might even be able to use WebAuthn with your computer’s TPM using just a PIN instead of biometrics, but I’ve never bothered to check, because I’ve never wanted to do it that way.

A password by itself isn’t good enough anymore, so your argument in favor of SRP isn’t convincing, and I’m sure this is why browsers have never bothered to implement it. Making passwords slightly better doesn’t even come close to fixing them.

[Dylan16807]

> This applies to literally all authentication schemes that use something beyond a password, including TOTP and SMS codes.

Yes, and?

It's still a "real benefit" to passwords if they can't be stolen.

Even if you do have an independent second factor, that means you still have a password. Surely you want to protect that password better, on top of the second factor?

[coder543]

WebAuthn is designed to be able to be used as a strong single factor. You do not need a password. It cannot be MITMed or phished or leaked by server compromise. See an example here: https://webauthn.io/

> It's still a "real benefit" to passwords if they can't be stolen.

SRP does not mean passwords can’t be stolen. It just means that the backend of a particular website is no longer capable of stealing the password, as long as the user is careful to only use their browser’s (currently nonexistent) SRP dialog box.

The user’s computer can still have a keylogger on it.

The user can still be phished.

> Surely you want to protect that password better, on top of the second factor?

No, I want passwords to just go away. They add extremely little security on average. Power users like us might use strong, unique passwords, but almost no one does that in the real world. Protecting the password “better” doesn’t matter when the user also uses that same, weak password on a dozen other websites already.

SRP does not solve the actual problems people are facing, which is surely why browsers don’t support it. It’s a cool idea (honestly!), but it’s a solution in search of a problem now that we have WebAuthn.

If SRP is so beneficial even today, why don’t browsers implement it? They implement so much other stuff. You’re implying quite a conspiracy, which doesn’t make sense when it “compromises” the security of passwords going to Google and Apple just as much as it does everyone else. The “real benefit” appears to be lacking.

[Dylan16807]

> SRP does not mean passwords can’t be stolen. It just means that the backend of a particular website is no longer capable of stealing the password, as long as the user is careful to only use their browser’s (currently nonexistent) SRP dialog box.

Yes, sorry. Less likely to be stolen, and can't be stolen by the server.

> No, I want passwords to just go away.

That's fine and dandy but it's moving the goalposts significantly.

I'm not going to disagree with your desire to get rid of passwords. But your initial premise was that second factors are good, and in that context it's also good to add more protection to passwords directly.

> If SRP is so beneficial even today, why don’t browsers implement it?

I said it was better, not that it's the most amazing idea in the realm of security.

Also when browsers implement optional security features they tend not to get website support.

> You’re implying quite a conspiracy

No I'm not, don't be weird.

[coder543]

I like how you completely ignored my statement about WebAuthn not needing a password. My original question to you said you didn’t need a password: “How is SRP materially better than WebAuthn, which is intended to be able to be used as a single factor authentication mechanism?”

WebAuthn as a single factor means there is no password or TOTP or anything else. Just WebAuthn.

You can go back to my very first comment where I said “The real way to add more security is to minimize dependence on passwords”. I tried to be clear from the beginning that passwords aren’t the answer, in my opinion. Yes, people are psychologically accustomed to having a password in addition to other things, but I don’t see the password as actually contributing much to the security.

My first comment also linked to another comment of mine from two months ago where I said “I would personally push away from passwords on the whole at this point.”

I definitely wasn’t moving the goal posts at any point, as I can point to multiple examples of holding this position the whole time, but I know that I’m not always the clearest communicator.

[Dylan16807]

> I like how you completely ignored my statement about WebAuthn not needing a password. My original question to you said you didn’t need a password: “How is SRP materially better than WebAuthn, which is intended to be able to be used as a single factor authentication mechanism?”

I answered that immediately. You can use it in more places.

Otherwise, in places where you can use both, it's worse.

> I tried to be clear from the beginning that passwords aren’t the answer, in my opinion.

I agree with that idea, but then you said the only way to improve on things was 2FA or SSO which isn't right.

[coder543]

> I answered that immediately.

You were conveniently ignoring it in the context where you claimed I was moving the goal posts.

I did not move the goal posts.

> I agree with that idea, but then you said the only way to improve on things was 2FA or SSO which isn't right.

That's an oversimplification of things, at best. I specifically linked to an older comment of mine for those who wanted more detail, and that comment recommended moving away from passwords entirely. You saw what you wanted to see. My summary in this thread was focused on the thread itself, which was discussing how to make password authentication more secure... and the way to do that is to add a second factor. Not security theater like client-side hashing as people were trying to propose higher in the thread.

This discussion is really boring at this point.