Re: Interest in a push-based two-factor auth standard?
Ted Hardie <ted.ietf@gmail.com> Thu, 02 March 2017 16:34 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 609F61294C0 for <ietf@ietfa.amsl.com>; Thu, 2 Mar 2017 08:34:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Aaae7qHhvzD for <ietf@ietfa.amsl.com>; Thu, 2 Mar 2017 08:34:24 -0800 (PST)
Received: from mail-ot0-x231.google.com (mail-ot0-x231.google.com [IPv6:2607:f8b0:4003:c0f::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCB57129489 for <ietf@ietf.org>; Thu, 2 Mar 2017 08:34:23 -0800 (PST)
Received: by mail-ot0-x231.google.com with SMTP id k4so55722093otc.0 for <ietf@ietf.org>; Thu, 02 Mar 2017 08:34:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4GAvg1UDumyM4OnmsxHglwQuGBz0IMoBKiPEfaQOe1Q=; b=Y+4JPyOrqGhLkRK5ytLKqjX+y/KzNTherWWcF6M7OfBIOK4whxPad/UhulUZC+uChg /Yab3qiv48CFDmCmcenhh+R2ZVgIE3jx7VeV7pQ5OZfWQL/HEkrHpA11F7TXrL6xDrWM zxNsOEbg2UFSi4PSUBQWExhCgq7PVA9NOxcAoWKl8atLwLk14aEJHXx+ax+3a5PL82rY bWe36xIFsKSvbVNLiKSwpKGEsn6KMUqdkGw+yT3Kbmd6jEfsnHLBAJ3lqDlLEE+Mglsu tt71JrYsnoOEZRQpEEmIJPoKyv4lQ6zRpfHMGd0IR7lcKfsIFw4Qud7udWpsadfQtMSL uG4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4GAvg1UDumyM4OnmsxHglwQuGBz0IMoBKiPEfaQOe1Q=; b=mPv46QHwbNaXfdnHQuz4ky7dMefjzHJiHw1gnuY4cvPvz794YA6W77QyLkq86PtKJZ S+9ycHTztZkM4eod/00X91nHobrBtPNjq9irurJEiWtnYfhJ5L9+YEAFEwDDfF1Y7EtE UdfjnIXS6VJL0hJHvDr3kOMUKCIo9SKqZE9mhsVA/ciLOOZGeoUUEonBagwBsQNomtiV 78XWJGHrcroWn4uKmgCDCvoGjo+SVMjJWmd3M1RuZj3G73xn9YV142/w4Lmjg4EDDgMy aD+Fo1vQxzN6/aOL9WU3ElY/k8ni8hLABRvPsWa6fbLsWggOaAamMCidNBTK2yxC0XT6 FXKA==
X-Gm-Message-State: AMke39lbFgWpRBU09jJk5aklRZ1SxjwjTQ7wLU0MHeg2uJquN8BQ0d/x0GHlKWyJQ/1w+aIp4BdH9qV0mrAOMA==
X-Received: by 10.157.63.145 with SMTP id r17mr6966644otc.47.1488472462904; Thu, 02 Mar 2017 08:34:22 -0800 (PST)
MIME-Version: 1.0
Received: by 10.74.142.85 with HTTP; Thu, 2 Mar 2017 08:33:52 -0800 (PST)
In-Reply-To: <20170302055128.GJ12470@Alexs-MacBook-Pro>
References: <20170302055128.GJ12470@Alexs-MacBook-Pro>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Thu, 02 Mar 2017 08:33:52 -0800
Message-ID: <CA+9kkMBdheNCiAAq2xHs5v5UBFErBYhRZ5ksWFq4089ve+NK7g@mail.gmail.com>
Subject: Re: Interest in a push-based two-factor auth standard?
To: Alex Jordan <alex@strugee.net>
Content-Type: multipart/alternative; boundary="001a11c0177068d78c0549c20029"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/AVpTB35NaqvNBbT9tyu2GITLdy4>
Cc: IETF <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 16:34:25 -0000
Hi Alex, The applications area uses a working group called DISPATCH to answer the question "where should this work go?", so you might start by writing up the idea as an Internet draft and submitting to DISPATCH. The Security area uses the saag list for similar discussion, if you think it is more of a security topic than a usage of web push. regards, Ted On Wed, Mar 1, 2017 at 9:51 PM, Alex Jordan <alex@strugee.net> wrote: > Heya! > > A widely deployed way to do two-factor authentication is > TOTP. However, when used with an Android device Google Accounts have a > really nice flow where Google will send a push notification to the > Android device, which will then prompt the user with a "yes/no" > question as to whether they were trying to log in or not. From a UX > perspective this is much nicer than opening an app, manually typing in > a code, etc. > > With WebPush core having been just ratified as RFC 8030, the time > seems ripe for standardizing an authentication scheme like described > above. > > I have two questions: > > 1. Is there interest in creating such a standard at the IETF? > > 2. If there is, where would be the best place to do that work? I'm > relatively new to the IETF - I poked around Datatracker's list of > Working Groups and there didn't seem to be one that really fit that > well. Did I miss something? Or should this go through the IETF > individual submission track? > > Please CC me on replies; I'm not subscribed. > > Cheers! > > AJ >
- Interest in a push-based two-factor auth standard? Alex Jordan
- Re: Interest in a push-based two-factor auth stan… Ted Hardie
- Re: Interest in a push-based two-factor auth stan… Alex Jordan
- Re: Interest in a push-based two-factor auth stan… Phillip Hallam-Baker
- Re: Interest in a push-based two-factor auth stan… Alex Jordan
- Re: Interest in a push-based two-factor auth stan… Phillip Hallam-Baker