Re: [Cfrg] How to circumvent the obstacles for PAKE integration into TLS // slides.

Björn Haase <bjoern.haase@endress.com> Wed, 28 August 2019 11:05 UTC

Return-Path: <bjoern.haase@endress.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A696120108 for <cfrg@ietfa.amsl.com>; Wed, 28 Aug 2019 04:05:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=endress.com header.b=g/3OIB8Z; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=endress.com header.b=jcw4xLrO
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oVQko-eRrtC3 for <cfrg@ietfa.amsl.com>; Wed, 28 Aug 2019 04:04:55 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00052.outbound.protection.outlook.com [40.107.0.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E951120100 for <cfrg@irtf.org>; Wed, 28 Aug 2019 04:04:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=endress.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Lctqth5Osp+sN43yRHUvmJy6hLFORs8juu3oGM4fpCA=; b=g/3OIB8Z2wMvYhBznqoE80xhNN+Il3eqH1Vh1UoFEPrNozccqnVWp8yhTrAaAElQi307Oz3od/1tHnXlk/BwokqHImGv5s/XPh6hKCrmg28p7QHPbNG5knaHaN8ZMaXptDBr/kL1Uld6FM58wqPt4mJHKpE5FsBdFVamlylhD3w=
Received: from DB7PR05CA0058.eurprd05.prod.outlook.com (2603:10a6:10:2e::35) by DB8PR05MB6618.eurprd05.prod.outlook.com (2603:10a6:10:ac::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2178.16; Wed, 28 Aug 2019 11:04:50 +0000
Received: from DB5EUR03FT013.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::207) by DB7PR05CA0058.outlook.office365.com (2603:10a6:10:2e::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2199.14 via Frontend Transport; Wed, 28 Aug 2019 11:04:50 +0000
Authentication-Results: spf=pass (sender IP is 52.233.195.251) smtp.mailfrom=endress.com; irtf.org; dkim=fail (body hash did not verify) header.d=endress.com;irtf.org; dmarc=pass action=none header.from=endress.com;
Received-SPF: Pass (protection.outlook.com: domain of endress.com designates 52.233.195.251 as permitted sender) receiver=protection.outlook.com; client-ip=52.233.195.251; helo=iqsuite.endress.com;
Received: from iqsuite.endress.com (52.233.195.251) by DB5EUR03FT013.mail.protection.outlook.com (10.152.20.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2220.16 via Frontend Transport; Wed, 28 Aug 2019 11:04:49 +0000
Received: from mail pickup service by iqsuite.endress.com with Microsoft SMTPSVC; Wed, 28 Aug 2019 13:04:48 +0200
Received: from EUR01-HE1-obe.outbound.protection.outlook.com ([104.47.0.54]) by iqsuite.endress.com over TLS secured channel with Microsoft SMTPSVC(8.5.9600.16384); Wed, 28 Aug 2019 13:04:47 +0200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=e9F48jYSiBwGPaAm//x+3E2I3B7Vwu+sZQqjfHClJR5c6F6fH3aIVnwRBjGR4r+5yF/kXKiUQEAJn8elvfaQrwAPqhH8VeYxsXTm2rPegOdcF7ismk//sAy9tk2hCIsIJpy9i8iqQsMOEfPvaYBDQyEP5chJJNmF65ZAtsBqA31TMc+GDneVAIBbGcydn+z0QIjmW0EB/DbC6OWTLeYTTAfYsPhfzIJfa881OUE8PnCAPAM9eiDbgETYasPA049DPIgHih/7QBpsBiUDKDJZUbkUgzDtqYiYAOvIL5/b17000WagK4F2nBJBPD9cACnbTPge/+AyKEbp05NZtCt7Gg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i6whHKjZlC2PMFpfnrEmoe1QK0gQgzU9gUo73wvjAgk=; b=AEpSVWfPH/qkr9+mIpphmOwEz885dVKqs72/9JqMMl5WcT0DufxdkzG5mBKMgRp0ekA2dMvphWGXdwHqMFvAZ4kkW37b75VJikA9Z5/5FotuOA5PlA8fzt2s5/nLyjKnQsup9uOI+SGoqwOPCDwAC199JsyXTmxyiXH+qQo1vWy0o0GnqYFzRKittRZdLpT7/uDEfu5I96n8eBFbWW298lxr6V6J10SR+RLCBHODBauezsxcD9d0+Za97LwTyikQiFHnaW6To8rlaRPAFcnqZT4Wov+Xnk6CqaCIjgPTgqYd3MdFx96pI5L1W9huOb46wlWAOWe9j11oz2/rNwCIjA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=endress.com; dmarc=pass action=none header.from=endress.com; dkim=pass header.d=endress.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=endress.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i6whHKjZlC2PMFpfnrEmoe1QK0gQgzU9gUo73wvjAgk=; b=jcw4xLrO7yjUzIDsCG8AMssj5ChRjbzg6SkmzLTmQ+THW2fnsnpF9czoDQceymRAlG5dTyvab+KKIsT+Q+FksCxVsAUfgdTGLQCvDAN+GGvnHL1XmNpqXmB4jdD2XXaC2+AySUAtivAY3OZCresQzvC4ZogfzwozhA3Hew6mZns=
Received: from VI1PR0501MB2255.eurprd05.prod.outlook.com (10.169.135.11) by VI1PR0501MB2621.eurprd05.prod.outlook.com (10.172.12.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2199.19; Wed, 28 Aug 2019 11:04:47 +0000
Received: from VI1PR0501MB2255.eurprd05.prod.outlook.com ([fe80::bd14:3fc1:6d7a:ec25]) by VI1PR0501MB2255.eurprd05.prod.outlook.com ([fe80::bd14:3fc1:6d7a:ec25%3]) with mapi id 15.20.2199.021; Wed, 28 Aug 2019 11:04:47 +0000
From: =?utf-8?B?QmrDtnJuIEhhYXNl?= <bjoern.haase@endress.com>
To: Natanael <natanael.l@gmail.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
CC: Jonathan Trostle <jonattr@gmail.com>, "Owen Friel (ofriel)" <ofriel@cisco.com>, "hugokraw@gmail.com" <hugokraw@gmail.com>, CFRG <cfrg@irtf.org>
Thread-Topic: [Cfrg] How to circumvent the obstacles for PAKE integration into TLS // slides.
Thread-Index: AdU/0zW0G1cDrJm7THCybJ0GtxuGUAAGmVwAAEhbfIAABYhggAARP7zQAtugoAAAEBl6UAQak14AAAKPEGA=
Content-Class:
Date: Wed, 28 Aug 2019 11:04:47 +0000
Message-ID: <VI1PR0501MB225513F74F687991E72F2D8183A30@VI1PR0501MB2255.eurprd05.prod.outlook.com>
References: <VI1PR0501MB225515FC68BD4CBF7C6F904E83C50@VI1PR0501MB2255.eurprd05.prod.outlook.com> <CACsn0ck3AhxHeu6=vAf9CMNLJcjkC59jhWDdGD-RP03DNqCfXA@mail.gmail.com> <20190723042811.GL99187@kduck.mit.edu> <VI1PR0501MB225501B52DC40DC41E6D590683C70@VI1PR0501MB2255.eurprd05.prod.outlook.com> <DM6PR11MB33855C114392B1A400D4C0B2DBC70@DM6PR11MB3385.namprd11.prod.outlook.com> <CAB+1-SckMT6oSJPbuM4fvWqC+8vGVUSYg-qTMt+i4EHBbbn64A@mail.gmail.com> <AM0PR08MB5345FC99B3EABBBF6EFD2353FAD40@AM0PR08MB5345.eurprd08.prod.outlook.com> <CAAt2M18UMK0Xd-38napj=zCGv2dgQZwLEMt3rK47bRU2RDbDUw@mail.gmail.com>
In-Reply-To: <CAAt2M18UMK0Xd-38napj=zCGv2dgQZwLEMt3rK47bRU2RDbDUw@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Enabled=True; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_SiteId=52daf2a9-3b73-4da4-ac6a-3f81adc92b7e; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Owner=i00501985@pc-c.endress.com; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_SetDate=2019-08-28T11:04:50.4495158Z; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Name=Not Protected; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Application=Microsoft Azure Information Protection; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_ActionId=ab02d0f8-6161-446c-b16c-223eb593fcea; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Extended_MSFT_Method=Automatic
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=bjoern.haase@endress.com;
x-originating-ip: [65.196.159.195]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: b4237c2b-a62d-48e8-5c8d-08d72ba78bc3
X-Microsoft-Antispam-Untrusted: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:VI1PR0501MB2621;
X-MS-TrafficTypeDiagnostic: VI1PR0501MB2621:|DB8PR05MB6618:
X-MS-Exchange-PUrlCount: 5
X-Microsoft-Antispam-PRVS: <DB8PR05MB66185F1B5C2270F97275922A83A30@DB8PR05MB6618.eurprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 014304E855
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(366004)(39860400002)(396003)(346002)(376002)(136003)(199004)(189003)(81156014)(86362001)(14444005)(81166006)(4326008)(790700001)(55016002)(85202003)(66574012)(236005)(256004)(26005)(6506007)(25786009)(110136005)(102836004)(52536014)(316002)(66556008)(19627235002)(186003)(8676002)(54896002)(11346002)(76116006)(66946007)(446003)(66476007)(7696005)(476003)(64756008)(66446008)(9686003)(76176011)(99286004)(7736002)(2906002)(3846002)(8936002)(53936002)(6116002)(486006)(606006)(85182001)(6306002)(966005)(74316002)(66066001)(33656002)(5660300002)(14454004)(71190400001)(71200400001)(478600001)(6436002)(54906003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0501MB2621; H:VI1PR0501MB2255.eurprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: endress.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info-Original: l5TYdJFWqHN265sQ6rdMsNHrCothUamsaeRII1yonIJ+ypOW9CMZKk7rQ3lzWusL+wLuJCI3BrgQhIXFdPB7HyCiHnkenz9sRe1f18Y6etMH4zjvAX8/ulnwX8a2DBoZ24/ClELTmvSDUkiIo47ABCX+KlvjMCtp/H5JOSIZIoxUbNAchqYCSi9rQvFzTmvxKs4fC9CyVl7eYauYH3XzFVkgLsQ6zkWBUxci2rwaHilOHVmrKcmzL8fSzAdh4LPKkaavjKwHMm6zpyKZOAwKsyND8yglVncQWyw1ngIp8ycybTvCJFJ6UHJ5GmcwCIKrZTfV4QAPIVa11BVh7JAbrIIH4Td4W4s0d26dNOHHaTGXuo0TZ4802GbAXTNYo5LFvc8ydmq1jtLiiU+VmTKh89vVybXEE9+X1Sno7pUJGm4=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_VI1PR0501MB225513F74F687991E72F2D8183A30VI1PR0501MB2255_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0501MB2621
X-OriginalArrivalTime: 28 Aug 2019 11:04:47.0412 (UTC) FILETIME=[67B88F40:01D55D90]
X-Trailer: 1
X-GBS-PROC: pc8+d981kdrtN8+TotA1piBlfUfyJnOZ8lkL7uEXKSU=
X-GRP-TAN: IQWE02@067D92B1F6D04416A056C05C26C7989A
X-iqsuite-process: processed
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT013.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:52.233.195.251; IPV:CAL; CTRY:NL; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(396003)(346002)(376002)(136003)(2980300002)(199004)(189003)(26234003)(33964004)(356004)(236005)(33656002)(6306002)(54896002)(99286004)(14444005)(53936002)(76176011)(966005)(71190400001)(86362001)(76130400001)(790700001)(19627235002)(102836004)(55016002)(478600001)(7696005)(26826003)(3846002)(126002)(6506007)(85202003)(81156014)(25786009)(476003)(6116002)(15974865002)(81166006)(70206006)(336012)(446003)(70586007)(26005)(11346002)(486006)(52536014)(8676002)(9686003)(316002)(66574012)(4326008)(30864003)(16586007)(85182001)(54906003)(7736002)(110136005)(14454004)(74316002)(106002)(5660300002)(66066001)(186003)(606006)(2906002)(8936002); DIR:OUT; SFP:1101; SCL:1; SRVR:DB8PR05MB6618; H:iqsuite.endress.com; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 0d7d272a-905d-48db-b159-08d72ba78a2f
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(710020)(711020)(4605104)(4709080)(1401327)(2017052603328)(7193020); SRVR:DB8PR05MB6618;
X-Forefront-PRVS: 014304E855
X-Microsoft-Antispam-Message-Info: DJ8F2bFqOKwvfAde//SIDMRuDxI9OEpEXHiykUe8u2KDFMkX/ioPmKYwmfK2u9hO4Oes0gLkDMfs3rrqRAn+FGswPkbzx/t5sTyCPxOJMiyeyy9UVL3D2kdNk1wW6i7wJ/uewPgrYZzEkMivPtm+8xgmTzLo7Zxo2Vf6/14dKjaVzTA/LXOCk9jb+cHSdtb2Z4ML92UCM2qZs42DOGOdn/K/ryF/hn9J5693WvUgOcazEGi7d6cVkndO61jlES/LX18C1M3bfG2LsTiN1hKTbH3JeGCR6JVTaebuL9+3LN0PrIX2lxFCOP0+MHFKkHestK/Tx3KhWWSPKokSkrTlOfEgjkS1WaWAB7/IVJnSQ15oGWhNoIrJFg3OJmFpQF9tjT6u5OIZuJsHnbeiPJaPz+Dwc3zRDy73McdZ9F7lhbY=
X-OriginatorOrg: endress.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Aug 2019 11:04:49.9933 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b4237c2b-a62d-48e8-5c8d-08d72ba78bc3
X-MS-Exchange-CrossTenant-Id: 52daf2a9-3b73-4da4-ac6a-3f81adc92b7e
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=52daf2a9-3b73-4da4-ac6a-3f81adc92b7e; Ip=[52.233.195.251]; Helo=[iqsuite.endress.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR05MB6618
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/HdRuv4R9eRFUHYqZd3PYuSD69CU>
Subject: Re: [Cfrg] How to circumvent the obstacles for PAKE integration into TLS // slides.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2019 11:05:01 -0000

>The way I see it, combining a PAKE with a 2FA solution like FIDO / WebAuthn is the best approach.

This corresponds exactly to what I have had in mind when creating slide #13 of the slides
https://github.com/BjoernMHaase/fe25519/blob/master/Concept_For_Modularized_PAKE_integration_into_TLS_20190726.pdf

However, the bootstrapping use-case that Hannes refers to is also an important application IMO. (Slide #14).

My perception that in order to allow for integrating use-cases such as 2FA into TLS, we might better need a modular approach. This is the main advantages that I see for AuCPace in comparison to OPAQUE or VTBPEKE. Otherwise OPAQUE and VTBPEKE are decent and secure constructions in my opinion.

For your reference here are the slides that I will be presenting today at Atlanta.
https://github.com/BjoernMHaase/fe25519/blob/master/Presentation_CHES2019.pdf
There I have also added some slides dealing my opinions regarding the session id complexity that comes with OPAQUE and AuCPace.

Yours,

Björn.


Mit freundlichen Grüßen I Best Regards 

Dr. Björn Haase 

Senior Expert Electronics | TGREH Electronics Hardware
Endress+Hauser Conducta GmbH+Co.KG | Dieselstrasse 24 | 70839 Gerlingen | Germany
Phone: +49 7156 209 377 | Fax: +49 7156 209 221
bjoern.haase@endress.com |  www.conducta.endress.com 





Endress+Hauser Conducta GmbH+Co.KG
Amtsgericht Stuttgart HRA 201908
Sitz der Gesellschaft: Gerlingen
Persönlich haftende Gesellschafterin:
Endress+Hauser Conducta Verwaltungsgesellschaft mbH
Sitz der Gesellschaft: Gerlingen
Amtsgericht Stuttgart HRA 201929
Geschäftsführer: Dr. Manfred Jagiella

 
Gemäss Datenschutzgrundverordnung sind wir verpflichtet, Sie zu informieren, wenn wir personenbezogene Daten von Ihnen erheben.
Dieser Informationspflicht kommen wir mit folgendem Datenschutzhinweis (https://www.endress.com/de/cookies-endress+hauser-website) nach.

 



Disclaimer: 

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive this in error, please contact the sender and delete the material from any computer. This e-mail does not constitute a contract offer, a contract amendment, or an acceptance of a contract offer unless explicitly and conspicuously designated or stated as such.
 



Von: Natanael <natanael.l@gmail.com>;
Gesendet: Mittwoch, 28. August 2019 11:32
An: Hannes Tschofenig <Hannes.Tschofenig@arm.com>;
Cc: Jonathan Trostle <jonattr@gmail.com>;; Owen Friel (ofriel) <ofriel@cisco.com>;; hugokraw@gmail.com; Björn Haase <bjoern.haase@endress.com>;; CFRG <cfrg@irtf.org>;
Betreff: Re: [Cfrg] How to circumvent the obstacles for PAKE integration into TLS // slides.


Den ons 7 aug. 2019 14:16Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> skrev:
Here are my 5 cents:
I don’t expect PAKEs to be used for web-based scenarios as a replacement for passwords used in web-based applications.
Instead, the only use of PAKEs I had seen over the last few years was in the area of IoT as part of onboarding mechanisms.
Unless those folks developing browsers tell me that they want to put PAKEs into their browsers I would focus on the IoT use cases instead. The reason why I am saying this is because FIDO, which also tackles the password problem, looks like a much, much more promising route…
We just got Facebook declaring interest in using OPAQUE or equivalent PAKE protocols, which is significant.

And I also think (in my layman's opinion) that this should be supported in browsers so websites can use it. I've written this once before;

The way I see it, combining a PAKE with a 2FA solution like FIDO / WebAuthn is the best approach.

It's infinitely more resistant to both phishing and to accidental harm. Compared to just adding a second factor which would still expose the password, you don't just devalue credential phishing attempts when combining U2F + PAKE, you can make it close to impossible.

FIDO 2FA by itself doesn't really "tackle the password problem". It "just" adds a very strong shield *behind* it (but not in front of it). You still risk leaking passwords, and password reuse isn't going away no matter how much we try, people will remain lazy and reuse them. And not every site will use 2FA!

While it's true that a PAKE can't protect a weak password if the server gets breached (dictionary or bruteforce guessing), it can however protect against a hacker spying on your strong passwords when they hack a site you use! So under PAKE, your strong passwords remain strong even if the adversary can manipulate the server, and they won't be able to test reusing then against other services (at least assuming replay attack protection in the protocol!).

A secondary and less common risk (yet real) is spearphishing, where somebody is willing to steal your token and test reused passwords against the target web service(s).

Pushing for widespread PAKE support (with dictionary attack resistance) to resist password leaks is far more effective. One could hope that training users to expect a browser initiated PAKE password entry would make them suspicious of plaintext credential phishing forms.

I envision an approach where the user first types their username (which the browser can remember), get asked to confirm their login attempt with their hardware 2FA token (button press, or TPM connected secure input), and then they get a secure PAKE prompt from the browser that asks the user to type their password / PIN. After both U2F and PAKE has successfully authenticated the user, they get logged in.

The browser's PAKE prompt may even be integrated with a password manager, so you only need to click OK after you have unlocked your password manager.

U2F even supports registering keypair on the hardware token which allow you to login without typing your username (requires using storage space on the token), making it even simpler (press the button, type a PIN).

So the simplest secure login ux flow would be to unlock the password manager once with your password, then login to a website by tapping the hardware token's input button, then (optionally, can be automated) confirm your password input.