Interest in a push-based two-factor auth standard?
Alex Jordan <alex@strugee.net> Thu, 02 March 2017 05:51 UTC
Return-Path: <alex@strugee.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A12E12949D for <ietf@ietfa.amsl.com>; Wed, 1 Mar 2017 21:51:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZfmZdk0Zc9Xa for <ietf@ietfa.amsl.com>; Wed, 1 Mar 2017 21:51:34 -0800 (PST)
Received: from steevie.strugee.net (strugee.net [216.160.72.225]) by ietfa.amsl.com (Postfix) with ESMTP id 678FC1296C8 for <ietf@ietf.org>; Wed, 1 Mar 2017 21:51:34 -0800 (PST)
Received: from localhost (unknown [207.251.103.46]) by steevie.strugee.net (Postfix) with ESMTPSA id 39A4170F24B for <ietf@ietf.org>; Wed, 1 Mar 2017 21:51:30 -0800 (PST)
Date: Thu, 02 Mar 2017 00:51:28 -0500
From: Alex Jordan <alex@strugee.net>
To: ietf@ietf.org
Subject: Interest in a push-based two-factor auth standard?
Message-ID: <20170302055128.GJ12470@Alexs-MacBook-Pro>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="UlsYxwg8UDQn+EKZ"
Content-Disposition: inline
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/WIU3eOzVPZfTV9QyWESODWr5fKw>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 05:51:35 -0000
Heya! A widely deployed way to do two-factor authentication is TOTP. However, when used with an Android device Google Accounts have a really nice flow where Google will send a push notification to the Android device, which will then prompt the user with a "yes/no" question as to whether they were trying to log in or not. From a UX perspective this is much nicer than opening an app, manually typing in a code, etc. With WebPush core having been just ratified as RFC 8030, the time seems ripe for standardizing an authentication scheme like described above. I have two questions: 1. Is there interest in creating such a standard at the IETF? 2. If there is, where would be the best place to do that work? I'm relatively new to the IETF - I poked around Datatracker's list of Working Groups and there didn't seem to be one that really fit that well. Did I miss something? Or should this go through the IETF individual submission track? Please CC me on replies; I'm not subscribed. Cheers! AJ
- Interest in a push-based two-factor auth standard? Alex Jordan
- Re: Interest in a push-based two-factor auth stan… Ted Hardie
- Re: Interest in a push-based two-factor auth stan… Alex Jordan
- Re: Interest in a push-based two-factor auth stan… Phillip Hallam-Baker
- Re: Interest in a push-based two-factor auth stan… Alex Jordan
- Re: Interest in a push-based two-factor auth stan… Phillip Hallam-Baker