Re: [Cfrg] How to circumvent the obstacles for PAKE integration into TLS // slides.

[Natanael <natanael.l@gmail.com>]

Den ons 7 aug. 2019 14:16Hannes Tschofenig <Hannes.Tschofenig@arm.com>
skrev:

> Here are my 5 cents:
>
> I don’t expect PAKEs to be used for web-based scenarios as a replacement
> for passwords used in web-based applications.
>
> Instead, the only use of PAKEs I had seen over the last few years was in
> the area of IoT as part of onboarding mechanisms.
>
> Unless those folks developing browsers tell me that they want to put PAKEs
> into their browsers I would focus on the IoT use cases instead. The reason
> why I am saying this is because FIDO, which also tackles the password
> problem, looks like a much, much more promising route…
>
We just got Facebook declaring interest in using OPAQUE or equivalent PAKE
protocols, which is significant.

And I also think (in my layman's opinion) that this should be supported in
browsers so websites can use it. I've written this once before;

The way I see it, combining a PAKE with a 2FA solution like FIDO / WebAuthn
is the best approach.

It's infinitely more resistant to both phishing and to accidental harm.
Compared to just adding a second factor which would still expose the
password, you don't just devalue credential phishing attempts when
combining U2F + PAKE, you can make it close to impossible.

FIDO 2FA by itself doesn't really "tackle the password problem". It "just"
adds a very strong shield *behind* it (but not in front of it). You still
risk leaking passwords, and password reuse isn't going away no matter how
much we try, people will remain lazy and reuse them. And not every site
will use 2FA!

While it's true that a PAKE can't protect a weak password if the server
gets breached (dictionary or bruteforce guessing), it can however protect
against a hacker spying on your strong passwords when they hack a site you
use! So under PAKE, your strong passwords remain strong even if the
adversary can manipulate the server, and they won't be able to test reusing
then against other services (at least assuming replay attack protection in
the protocol!).

A secondary and less common risk (yet real) is spearphishing, where
somebody is willing to steal your token and test reused passwords against
the target web service(s).

Pushing for widespread PAKE support (with dictionary attack resistance) to
resist password leaks is far more effective. One could hope that training
users to expect a browser initiated PAKE password entry would make them
suspicious of plaintext credential phishing forms.

I envision an approach where the user first types their username (which the
browser can remember), get asked to confirm their login attempt with their
hardware 2FA token (button press, or TPM connected secure input), and then
they get a secure PAKE prompt from the browser that asks the user to type
their password / PIN. After both U2F and PAKE has successfully
authenticated the user, they get logged in.

The browser's PAKE prompt may even be integrated with a password manager,
so you only need to click OK after you have unlocked your password manager.

U2F even supports registering keypair on the hardware token which allow you
to login without typing your username (requires using storage space on the
token), making it even simpler (press the button, type a PIN).

So the simplest secure login ux flow would be to unlock the password
manager once with your password, then login to a website by tapping the
hardware token's input button, then (optionally, can be automated) confirm
your password input.

>
>