Re: [Cfrg] aPAKE Analysis / Why System-Level-View

[Björn Haase <bjoern.m.haase@web.de>]

> Being able to trigger a PAKE from a button press on your 2FA hardware
> token would also be a significant UX improvement over many of the
> other options with similar security level.
>
Do I correctly understand that you had in mind: The user first
establishes a normal https:// connection and then presses the 2FA
hardware switch in order to run a PAKE in addition to the previous
certificate-based authentication?

This is not what I assumed. What I had in mind is rather the following
procedure. The server knows its requirements regarding security, etc. .
The user and the browser don't know the required procedure in advance
when connecting. If the server is needing 2FA, it would arrange the
client to provide the aPAKE password entry mask and provide a "Please
press authentication token switch for authentication".

Did I actually mis-understand your post?