IETF Logo Mail Archive

Re: Interest in a push-based two-factor auth standard?

Phillip Hallam-Baker <phill@hallambaker.com> Mon, 06 March 2017 13:05 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC3491294D2 for <ietf@ietfa.amsl.com>; Mon, 6 Mar 2017 05:05:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.368
X-Spam-Level:
X-Spam-Status: No, score=-2.368 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.229, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7d64Z_-oaRiI for <ietf@ietfa.amsl.com>; Mon, 6 Mar 2017 05:05:13 -0800 (PST)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A64D12943E for <ietf@ietf.org>; Mon, 6 Mar 2017 05:05:13 -0800 (PST)
Received: by mail-yw0-x231.google.com with SMTP id o4so56742922ywd.3 for <ietf@ietf.org>; Mon, 06 Mar 2017 05:05:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=YXPfYJxN4WEC5Ao0cI0ldpGmLaQvXaGWu7Y0xHRlTV4=; b=Mqd7krpxUbfsdXU52MA8wHgPQ2aWOnKpua6X77eSidYkY0OyaEG9M6Vy12ZTTXuN4h ZetBzl3hqco4pe9HTcSJBN9w1GtMIO864G39e18rGfkWplPIL4jqNqMY8LX8zHnjVyO5 rZ8y3x5V9FkWrsyF3Qf9CFbrFqlvMyvq4uL8mTqd30i0syNLTbmARwRHgeL9ySsISjS3 XnY+L6+YI3QCFP66zdvKkApxJwbtveBl7Apr1RAr3mZYWNk8CGpT84CPlPuIHW1m8Nag ziaLYbDlXw/6co+rtF7AZSE6QBcM6o6HKMTbyWaIF66z2/Xc+Zbb3VNRd1qb2sG9vPy9 jsYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=YXPfYJxN4WEC5Ao0cI0ldpGmLaQvXaGWu7Y0xHRlTV4=; b=a8EOGC5Ho/8jdjsHSiuWCCe2nSGfqx+UedX/oLFClDfZ9TIALgQPQYUTrDZY7kXsco ke9QY54fx9/2AQ1sW29NuNTOXWfLzoIHwqFMwA8NBBEgxOai71mziU7Bmjctut8px029 FZyb0w8wZLOwz9Qam66RqRr4t0Zda0cujLSUP5zZvnywZYIkRlvL2G6/dR/uRUHhBbol Mn/zIWKdoHL00xcHCxgqL6jgb9zH7hNNurGPcGFPQmiLWogmRbBSAU/gmM4cViGRcjGo KbqJRfl4k3AfO3/lKxWniWRmhBg2p26Qf9/Y60rz3nU593gI62cuy3THJahJUjIC7M1B awGA==
X-Gm-Message-State: AMke39lgtySuDHtAlBVn31GF3n231iA95QKmpqrJc3HnF9h9sZUiqnevRnLka25+O/9dluGHu0KKdL+BvxOovw==
X-Received: by 10.129.97.214 with SMTP id v205mr10598757ywb.237.1488805512225; Mon, 06 Mar 2017 05:05:12 -0800 (PST)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.83.19.20 with HTTP; Mon, 6 Mar 2017 05:05:11 -0800 (PST)
In-Reply-To: <20170302055128.GJ12470@Alexs-MacBook-Pro>
References: <20170302055128.GJ12470@Alexs-MacBook-Pro>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 06 Mar 2017 08:05:11 -0500
X-Google-Sender-Auth: gYlUsj-R_j0fo5KFfeM2Nhr4d50
Message-ID: <CAMm+Lwg_kAtYUGivYSF5ZzF5nfywS4rzYG88UEzxgjRL2_=83Q@mail.gmail.com>
Subject: Re: Interest in a push-based two-factor auth standard?
To: Alex Jordan <alex@strugee.net>
Content-Type: multipart/alternative; boundary="001a11490cd8b22fbd054a0f8bf4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/oE9zSmATm_ekojdl85jQ8ac92vM>
Cc: IETF Discussion Mailing List <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 13:05:14 -0000

On Thu, Mar 2, 2017 at 12:51 AM, Alex Jordan <alex@strugee.net> wrote:

> Heya!
>
> A widely deployed way to do two-factor authentication is
> TOTP. However, when used with an Android device Google Accounts have a
> really nice flow where Google will send a push notification to the
> Android device, which will then prompt the user with a "yes/no"
> question as to whether they were trying to log in or not. From a UX
> perspective this is much nicer than opening an app, manually typing in
> a code, etc.
>
> With WebPush core having been just ratified as RFC 8030, the time
> seems ripe for standardizing an authentication scheme like described
> above.
>
> I have two questions:
>
> 1. Is there interest in creating such a standard at the IETF?
>
> 2. If there is, where would be the best place to do that work? I'm
> relatively new to the IETF - I poked around Datatracker's list of
> Working Groups and there didn't seem to be one that really fit that
> well. Did I miss something? Or should this go through the IETF
> individual submission track?
>
> Please CC me on replies; I'm not subscribed.
>

​i am interested and have developed several protocols of this type using
JSON. My work provides prior art back to 2010 at the very least.

What we are discussing goes beyond two factor auth. If you have a cell
phone with a device specific signature key, it can sign the response which
means that you automatically collect up a non repudiable audit log of the
user's actions. This is beyond anything possible with OTP number sequences
or USB dongles.

​

v2.23.0 | Report a Bug | By Email