|
|
|
|
|
|
by kijin
4776 days ago
|
|
|
The assumption is that the login button in the browser will be accompanied by features such as random password generation and automatic sync in the cloud (LastPass does this to some extent), so that the user doesn't need to manage yet another password. The proposal is to make this happen without waiting for websites all over the world to standardize on a single third-party identity like Persona (or heaven forbid, Facebook Connect). I don't think there's anything in my proposal that makes 2FA impossible. That can be written into the spec. Enter your tokens into a little textbox that your browser pops up when you click "Login" on a website that requires 2FA. Although many people seem excited about single sign-on systems like Persona, I respectfully disagree, for reasons I wrote about in a different post [1]. You ask whether individual websites should be in the business of authentication, but I'd rather ask why anybody should be in the business of authenticating anybody else to third parties. I'm not opposed to keeping all my credentials in a single location, but I want that location to be inside my own devices. I'm not opposed to sync, either, but I want sync to involve full client-side encryption. I have a great deal of trust in Mozilla, but precisely because I love them, I don't want them ever to put themselves in a position where a three-letter agency can ask them to hand over any information about me, even if it's just a list of email addresses that I use with Persona. http://www.kijinsung.com/id/610a7b92-3d4e-4c44-b231-0f5e4d1a... |
|
|