[Cfrg] aPAKE Analysis / System-Level view / Is 2FA a relevant topic ? / Is aPAKE an optional addition to WebPKI or the main TLS authentication mechanism?
Björn Haase <bjoern.haase@endress.com> Tue, 24 September 2019 10:59 UTC
Return-Path: <bjoern.haase@endress.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8003912018B for <cfrg@ietfa.amsl.com>; Tue, 24 Sep 2019 03:59:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=endress.com header.b=Qb3chIlo; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=endress.com header.b=QEqoXn9A
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S1_wjxBje7tx for <cfrg@ietfa.amsl.com>; Tue, 24 Sep 2019 03:59:16 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20060.outbound.protection.outlook.com [40.107.2.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B922D12010E for <cfrg@irtf.org>; Tue, 24 Sep 2019 03:59:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=endress.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+/OllC/utwVHdXvWINz1JKQhN50pADYLFMqLSz4XOEY=; b=Qb3chIloEo9T1pICKUHBDwkptljkcF80CeuJmymtlCDDes4K0s/8A736f/o9plQVZKsBlIiVA+m+xZNkm1sNJ4WoCCIblPO3kq/m+NrsVs7P3eV04NEqXSDSQdXNEBH4o6012hIFExHA7k5ZOYn3GUbF+Cgvqfvm/Js+AzE8rC0=
Received: from VI1PR0502CA0009.eurprd05.prod.outlook.com (2603:10a6:803:1::22) by HE1PR0502MB2972.eurprd05.prod.outlook.com (2603:10a6:3:d7::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.18; Tue, 24 Sep 2019 10:59:12 +0000
Received: from AM5EUR03FT062.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e08::206) by VI1PR0502CA0009.outlook.office365.com (2603:10a6:803:1::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.20 via Frontend Transport; Tue, 24 Sep 2019 10:59:12 +0000
Authentication-Results: spf=pass (sender IP is 52.233.195.251) smtp.mailfrom=endress.com; irtf.org; dkim=fail (body hash did not verify) header.d=endress.com;irtf.org; dmarc=pass action=none header.from=endress.com;
Received-SPF: Pass (protection.outlook.com: domain of endress.com designates 52.233.195.251 as permitted sender) receiver=protection.outlook.com; client-ip=52.233.195.251; helo=iqsuite.endress.com;
Received: from iqsuite.endress.com (52.233.195.251) by AM5EUR03FT062.mail.protection.outlook.com (10.152.17.120) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2284.20 via Frontend Transport; Tue, 24 Sep 2019 10:59:11 +0000
Received: from mail pickup service by iqsuite.endress.com with Microsoft SMTPSVC; Tue, 24 Sep 2019 12:59:10 +0200
Received: from EUR01-VE1-obe.outbound.protection.outlook.com ([104.47.1.52]) by iqsuite.endress.com over TLS secured channel with Microsoft SMTPSVC(8.5.9600.16384); Tue, 24 Sep 2019 12:59:08 +0200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HhpQHh7puw2AHczIyFRI7mVU9vPuxrET9MbYzQTdHZZ1JyEoyBSrehTd6Y7aqJ+p/xBOWQvRz0v8kSnlidfFaMNESl9KJso6wy3gULIBhpPlFG/ZJCf8l4clccXzDhCwO/W5+3ylRP25YOE0i4aSTskS43i99diZLm5bN0mln43ZXUhQ3PkW1OZb31H+BfYLgY8yICOGZQ2WfWBKp5zUy88YGRqkSHE4AwVdH7Amh3wPOAv5LHYfBT7H2rQpaXfOnYqe4KSpBkpG3malPGGYupyXICYorA157Pz3iLzLIokypXaqJxV8H44ecVv6N6znnZUvSN3FQpcWl1Ub4LhNEw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iheit8Jgd9W5tIFgbB5HXdud6ktcYXhqewWGJAgXYWI=; b=Dou8QUSZcWKjB0cjq1z52Ucrb0XU7Ltj7N72znptR0XDvmIpSyyoVZgCHYU/O8WQZfYfJrjU/Wv/yhh+ruwUIDAcxiIzur0/NyRcUpyOCAJka9a8KlzUfhVmHxhKTXqlIH/g9I8H6kbcN8uQy9F+uQ1QztnswavnNl39F4NLwGlsYucuw81LpPkxHLZoVhv/sc5D4nmlMjzCDbt+/oT4KuiCZMkCB7WrZhcRUmerFI67Y49k69oFfTlhs9SBljEDzmvW/ipXhWN2I2ekJ9/b+V1U3Y2JaW7uadfSejOLrwHOlhNR6/QRSjxlYa7uL7iWGIYqgQRXud0er9oUfL4QzA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=endress.com; dmarc=pass action=none header.from=endress.com; dkim=pass header.d=endress.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=endress.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iheit8Jgd9W5tIFgbB5HXdud6ktcYXhqewWGJAgXYWI=; b=QEqoXn9AHT1yJV/x7VBLguATpCpj7rP7Dgas+SpobiJehqnWBwN3NwkoWm7hME7hNnBSlOwU/PMadVQ+vC/gIIlwUvvkpoXXRUUCk0g1y+XusaKPUTl9BvfqXkyrgGJ0JVPVDIftQXIWnClh+kzp7oUunz1mvhoBjThAcVLlwBI=
Received: from VI1PR0501MB2255.eurprd05.prod.outlook.com (10.169.135.11) by VI1PR0501MB2461.eurprd05.prod.outlook.com (10.168.137.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.25; Tue, 24 Sep 2019 10:59:08 +0000
Received: from VI1PR0501MB2255.eurprd05.prod.outlook.com ([fe80::855f:14b4:fe51:27ad]) by VI1PR0501MB2255.eurprd05.prod.outlook.com ([fe80::855f:14b4:fe51:27ad%10]) with mapi id 15.20.2284.023; Tue, 24 Sep 2019 10:59:08 +0000
From: Björn Haase <bjoern.haase@endress.com>
To: Natanael <natanael.l@gmail.com>, Björn Haase <Bjoern.M.Haase@web.de>
CC: IRTF CFRG <cfrg@irtf.org>
Thread-Topic: [Cfrg] aPAKE Analysis / System-Level view / Is 2FA a relevant topic ? / Is aPAKE an optional addition to WebPKI or the main TLS authentication mechanism?
Thread-Index: AdVyxxWsPj30jIbmS0mFtBOoFx4q9Q==
Content-Class:
Date: Tue, 24 Sep 2019 10:59:08 +0000
Message-ID: <VI1PR0501MB22550E7C3A1A34B6B49CE0A183840@VI1PR0501MB2255.eurprd05.prod.outlook.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Enabled=True; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_SiteId=52daf2a9-3b73-4da4-ac6a-3f81adc92b7e; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Owner=bjoern.haase@endress.com; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_SetDate=2019-09-24T10:59:06.8978173Z; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Name=Not Protected; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Application=Microsoft Azure Information Protection; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_ActionId=f00e03e3-0744-48ca-9eac-aba6c3a9c514; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Extended_MSFT_Method=Automatic
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=bjoern.haase@endress.com;
x-originating-ip: [193.158.100.19]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 0bf07a32-3823-494f-01b2-08d740de3b6a
X-Microsoft-Antispam-Untrusted: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600167)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:VI1PR0501MB2461;
X-MS-TrafficTypeDiagnostic: VI1PR0501MB2461:|HE1PR0502MB2972:
X-Microsoft-Antispam-PRVS: <HE1PR0502MB2972EEF12FB29899658CBF4283840@HE1PR0502MB2972.eurprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 0170DAF08C
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(346002)(376002)(136003)(396003)(366004)(39860400002)(189003)(199004)(86362001)(3846002)(790700001)(256004)(6116002)(85202003)(26005)(186003)(478600001)(4326008)(33656002)(85182001)(81166006)(81156014)(14454004)(25786009)(8676002)(99286004)(8936002)(7696005)(6506007)(110136005)(102836004)(316002)(966005)(74316002)(54896002)(9686003)(236005)(486006)(476003)(55016002)(66946007)(66476007)(2906002)(64756008)(66574012)(66446008)(52536014)(66556008)(71200400001)(71190400001)(5660300002)(7736002)(6306002)(19627235002)(14444005)(6436002)(76116006)(66066001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0501MB2461; H:VI1PR0501MB2255.eurprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: endress.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info-Original: xA0y9a+b2Dp8LzcIEkbK8CyoMeC3IaPKlVT3nQL0Bdpgkj6P6X2pGpJ2NDU8QsZ2+RNf+PLCedawlb+NgWUUiQkum9Zhx66P3wH+Gp0zotCxjgA3hOaRO7nCX6qd9SyU/8QbeDYDIA2dbtriG0kEQNIIoy11zMmw5o16m1gZ4DZIOojMkpjDet+/CvaWVfWMNSfjvwk8GZId3Ux9smmlBhFb/s49/XIbYP5wTSVUbIUVDguqAtSYb+9d0HxAg31mxMwXAAylW4f3zJU1ZSsSY5LHLe/PajPa516nAOXyyYnHXDcQgveoANHE0nBSK3DipJjj5y74Yji9+irDSguF/pC0viW5djVDq5MNci97w6aAdnE2Pv3RzmROhfwFoZC244YOddhVzmMNTfc2IMtdfRDpKEMu+QcYDrhqUhJs2n0=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_VI1PR0501MB22550E7C3A1A34B6B49CE0A183840VI1PR0501MB2255_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0501MB2461
X-OriginalArrivalTime: 24 Sep 2019 10:59:08.0698 (UTC) FILETIME=[16FC27A0:01D572C7]
X-Trailer: 1
X-GBS-PROC: oNCY3LjDuOZwfO77WcMUDt88qp0vADAJiw4sJdR3ZC8=
X-GRP-TAN: IQWE02@8614DC80739D4AC9B2F2305FE4CCFAF1
X-iqsuite-process: processed
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT062.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:52.233.195.251; IPV:CAL; CTRY:NL; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(376002)(396003)(136003)(346002)(39860400002)(199004)(26234003)(189003)(6506007)(66574012)(476003)(7696005)(606006)(54896002)(126002)(790700001)(6306002)(236005)(336012)(86362001)(19627235002)(55016002)(5660300002)(6116002)(7736002)(9686003)(30864003)(2906002)(14444005)(102836004)(3846002)(356004)(74316002)(70206006)(26826003)(52536014)(14454004)(25786009)(71190400001)(81166006)(966005)(186003)(81156014)(4326008)(8676002)(316002)(8936002)(16586007)(478600001)(106002)(486006)(33656002)(15974865002)(70586007)(76130400001)(99286004)(66066001)(85182001)(33964004)(85202003)(26005)(110136005); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0502MB2972; H:iqsuite.endress.com; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: b44f909a-606f-48a1-df03-08d740de3984
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(710020)(711020)(4605104)(4709080)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:HE1PR0502MB2972;
X-MS-Exchange-PUrlCount: 3
X-Forefront-PRVS: 0170DAF08C
X-Microsoft-Antispam-Message-Info: IF7dlD/cJLd5ldEjZBljqYgzCsWjJ4wgs2kYTg1vWKaR+18JayhnGjOHiiQRXeJsQanDPgUmTKW/U+kkeBps6xMqby+x80ObcDaEhb5NKFp7lmGv5k354VlL4ewLal5YIQTyLjmxBT8dly5EY3XhKKtVGvJ7a6NxSVMnVl7/jqFVmvR5m7pCyLh7BDERcS9UbCoJ1iifPeKDhXM9D028IkD2Hob2UmvhivVo4CUhXHYjqkvPyWMTwygiP0SThN/uZKntddbPnj2sBvIzE/cu3HYorQIiB/kjbfN2eng7KXljF1sMsvaO7d+Ke6M8ypLMIttP6TSS065LIkdvXcp6HWHpTtcl55p+bqOUL2CAInDuom4jnVb2fTBZOjn+hjD2g470rTnKwqDjqWamwP9G/dWILW+RphtaqLa0vHPBBx4=
X-OriginatorOrg: endress.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Sep 2019 10:59:11.9794 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0bf07a32-3823-494f-01b2-08d740de3b6a
X-MS-Exchange-CrossTenant-Id: 52daf2a9-3b73-4da4-ac6a-3f81adc92b7e
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=52daf2a9-3b73-4da4-ac6a-3f81adc92b7e; Ip=[52.233.195.251]; Helo=[iqsuite.endress.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0502MB2972
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/HW-KalcdbJNFC-M-STXbocd0ma4>
Subject: [Cfrg] aPAKE Analysis / System-Level view / Is 2FA a relevant topic ? / Is aPAKE an optional addition to WebPKI or the main TLS authentication mechanism?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2019 10:59:21 -0000
Hi Natanael, If I understand correctly, the procedures you suggest would be quite similar to what I had in mind. I was not actually be having any preference regarding the sequencing, but your reasoning regarding “First 2FA press, then password” convinces me. I also had actually several possible options for merging aPAKE and 2FA the operations in mind. For instance for some 2FA applications today I use a token generator that outputs a 6-digit time-dependent code, seemingly based on some shared symmetric secret and the time. If such a code would be the second factor, one could append it to the PRS string on both sides as additional low-entropy input from the 2FA channel. This avoids the need of further asymmetric crypto on both sides. If you have a better 2FA token that allows for signatures, one could make it sign the session ID and send this to the server for signature verification. I believe that there might be several options for integrating multi-factor-authentication in addition to aPAKE. The crucial points however might rather be 1. Do we see the need to have the use-case of authentication for aPAKE + 2FA in addition to aPAKE alone in mind? (I’d say “YES!”) 2. Should we enforce the mutual aPAKE authentication (+ optional 2FA) *before* or *after* the first application payload traffic (e.g. the first html information)? Or should we consider aPAKE (+ optional 2FA) to be merely an optional step after establishing a conventional (WebPKI)-certificate authenticated session? My perception is: For the aPAKE systems (+ optional 2FA) we should not at all be relying on Web-PKI. We should finish the (aPAKE + 2FA) step before opening the TLS channel for application data. Others seem to advocate for a setting where aPAKE is used as an optional feature *addition* to a mandatory Web-PKI configuration. In this case, essential security component would still be based on WebPKI and aPAKE would be just an optional addition. I don’ think that the latter option would be a good solution security-wise. I also don’t see, how the end-user should be finding out that the password that she enters into an html page field would actually be protected by aPAKE or sent in clear-text to the server. aPAKE as add-on to WebPKI would also not serve our use-case where we precisely need a solution to the problem that the end-customer is not skilled enough for maintaining certificates in his browser and his IoT device (or would like to avoid the cost/effort for getting a domain name and maintained server certificate from a browser-trusted CA). A well-configured browser would just be preventing any connection due to the failed certificate validation. @CFRG and @Nathanael: What is your position regarding the questions 1.) and 2.) above? Yours, Björn. Mit freundlichen Grüßen I Best Regards Dr. Björn Haase Senior Expert Electronics | TGREH Electronics Hardware Endress+Hauser Conducta GmbH+Co.KG | Dieselstrasse 24 | 70839 Gerlingen | Germany Phone: +49 7156 209 377 | Fax: +49 7156 209 221 bjoern.haase@endress.com | www.conducta.endress.com Endress+Hauser Conducta GmbH+Co.KG Amtsgericht Stuttgart HRA 201908 Sitz der Gesellschaft: Gerlingen Persönlich haftende Gesellschafterin: Endress+Hauser Conducta Verwaltungsgesellschaft mbH Sitz der Gesellschaft: Gerlingen Amtsgericht Stuttgart HRA 201929 Geschäftsführer: Dr. Manfred Jagiella Gemäss Datenschutzgrundverordnung sind wir verpflichtet, Sie zu informieren, wenn wir personenbezogene Daten von Ihnen erheben. Dieser Informationspflicht kommen wir mit folgendem Datenschutzhinweis (https://www.endress.com/de/cookies-endress+hauser-website) nach. Disclaimer: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive this in error, please contact the sender and delete the material from any computer. This e-mail does not constitute a contract offer, a contract amendment, or an acceptance of a contract offer unless explicitly and conspicuously designated or stated as such. Von: Cfrg <cfrg-bounces@irtf.org> Im Auftrag von Natanael Gesendet: Dienstag, 24. September 2019 12:15 An: Björn Haase <Bjoern.M.Haase@web.de> Cc: IRTF CFRG <cfrg@irtf.org> Betreff: Re: [Cfrg] aPAKE Analysis / Why System-Level-View Den sön 22 sep. 2019 21:32Björn Haase <bjoern.m.haase@web.de<mailto:bjoern.m.haase@web.de>> skrev: > Being able to trigger a PAKE from a button press on your 2FA hardware > token would also be a significant UX improvement over many of the > other options with similar security level. > Do I correctly understand that you had in mind: The user first establishes a normal https:// connection and then presses the 2FA hardware switch in order to run a PAKE in addition to the previous certificate-based authentication? Wouldn't have to be the default, but I'm considering a version of this; If the server tells the client that it supports both hardware 2FA and PAKE, and that they are supported together (and this flag could be cached on the client so it can alert on downgrade), then yes. It would perform HW 2FA auth on button press (may include certificates) and then trigger PAKE. The user types the password and hits OK. Done. This is not what I assumed. What I had in mind is rather the following procedure. The server knows its requirements regarding security, etc. . The user and the browser don't know the required procedure in advance when connecting. If the server is needing 2FA, it would arrange the client to provide the aPAKE password entry mask and provide a "Please press authentication token switch for authentication". Did I actually mis-understand your post? Your approach seems to be slightly different. So the browser first opens the PAKE prompt and you then verify with the token? Presumably the browser informs the user that the current webpage has PAKE support, they click to open the prompt, and confirm with HW 2FA verification? While functionally similar, the difference is in the UX security. With your approach one could more easily get the user password through phishing by showing them fake login prompts (and in a targeted attack, the token could then be stolen). A user that has been successfully taught that the password must only be entered in the prompt after pressing the HW 2FA button will not type their password into phishing prompts.