|
|
|
|
|
|
by michaelt
1512 days ago
|
|
|
The problem with proof-of-work-for-login is: Some of your attackers are going to run your proof-of-work algorithm on a 3090 Ti GPU and put loads of work into optimising their setup. Some of your legitimate users are going to run it on a Raspberry Pi 1 with an ancient browser that only runs wasm through a javascript polyfill. Tough to make up for a 1000x performance difference. |
|
|
Those legitimate users logging in on a Raspberry Pi 1 are going to be in the vast minority (probably about 0.001%, if not less, as evidenced by the relative marketshares of Windows vs Linux, and how rare Raspberry Pi's are for desktop use relative to normal x86 machines) of users of your service - it's OK for them to have 20s-30s logon times in exchange for (1) not requiring PII from users and (2) less credential stuffing.
Certainly, Raspberry Pi users are more rare than Internet Explorer users, which many developers simply refuse to support at all.
In particular, I am ok with having 30s logon times for services for my desktop computers (assuming that I only have to log on once every few months and not every few minutes like my brain-dead bank requires), so it's more than reasonable to expect those with an extremely niche and underpowered setup to have to wait that long for a very infrequent login process - again, for the sake of security and privacy.