~sircmpwn/sr.ht#282: 
Research the possibilities for moving away from password-based authentication

The raw truth of it is that a massive number of people reuse passwords that have been leaked in any of the hundreds of data breaches which have occured over the years. Passwords are simply not a secure form of authentication in $CURRENTYEAR. What are the alternatives?

Status
REPORTED
Submitter
~sircmpwn
Assigned to
No-one
Submitted
5 months ago
Updated
4 months ago
Labels
No labels applied.

Florian Maury 4 months ago · edit

My understanding of what you are trying to achieve with SourceHut is minimal javascript. As such, solutions like WebAuthn/FIDO cannot be implemented: https://www.w3.org/TR/webauthn-1/

Fancy stuff like smartcards for TLS client certificate authentication is not really an option because support by browser is horrendous.

This leaves you with TOTP as a second factor and push notifications.

I recently started to see websites with no authentication mechanism. You declare your identity and you receive an email with the next instructions (either a temporary link to log you in, or a random string to paste in the login form).

That last authentication method is my current favorite, but it has some privacy drawbacks, because it requires the user to disclose an email address. On the other hand, SourceHut is already heavily oriented toward an email workflow, so this might not be a problem.

Register here or Log in to comment, or comment via email.