IETF Logo Mail Archive

Re: [OAUTH-WG] Username and Password flow: no captcha?

Thomas Hardjono <hardjono@MIT.EDU> Mon, 07 June 2010 20:24 UTC

Return-Path: <hardjono@mit.edu>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1E1A53A6822 for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 13:24:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.019
X-Spam-Level:
X-Spam-Status: No, score=-1.019 tagged_above=-999 required=5 tests=[AWL=-0.280, BAYES_20=-0.74, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QEIKvSWkxlwg for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 13:24:06 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (DMZ-MAILSEC-SCANNER-2.MIT.EDU [18.9.25.13]) by core3.amsl.com (Postfix) with ESMTP id E441A3A65A6 for <oauth@ietf.org>; Mon, 7 Jun 2010 13:24:05 -0700 (PDT)
X-AuditID: 1209190d-b7bf0ae0000059a7-50-4c0d55652722
Received: from mailhub-auth-1.mit.edu (MAILHUB-AUTH-1.MIT.EDU [18.9.21.35]) by dmz-mailsec-scanner-2.mit.edu (Symantec Brightmail Gateway) with SMTP id 1F.6F.22951.5655D0C4; Mon, 7 Jun 2010 16:24:06 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-EXCHANGE-2.MIT.EDU [18.9.28.16]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id o57KO5ER004964; Mon, 7 Jun 2010 16:24:05 -0400
Received: from w92exedge4.exchange.mit.edu (W92EXEDGE4.EXCHANGE.MIT.EDU [18.7.73.16]) ) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id o57KO4CF029463; Mon, 7 Jun 2010 16:24:05 -0400
Received: from oc11exhub5.exchange.mit.edu (18.9.3.15) by w92exedge4.exchange.mit.edu (18.7.73.16) with Microsoft SMTP Server (TLS) id 8.1.393.1; Mon, 7 Jun 2010 16:23:28 -0400
Received: from EXPO10.exchange.mit.edu ([18.9.4.15]) by oc11exhub5.exchange.mit.edu ([18.9.3.15]) with mapi; Mon, 7 Jun 2010 16:24:04 -0400
From: Thomas Hardjono <hardjono@MIT.EDU>
To: Dick Hardt <dick.hardt@gmail.com>, Luke Shepard <lshepard@facebook.com>
Date: Mon, 07 Jun 2010 16:24:02 -0400
Thread-Topic: [OAUTH-WG] Username and Password flow: no captcha?
Thread-Index: AcsGcOvY/OtQh/yPRj2o2PQlAzt0RwADWVOA
Message-ID: <DADD7EAD88AB484D8CCC328D40214CCD0179258EFD@EXPO10.exchange.mit.edu>
References: <AANLkTint78W8GC5Jctc0je5dsmuY-Ket2aqI00tjl-NC@mail.gmail.com> <AANLkTilXJM7rphv02DvFsmMgSdjO0twY1nVIPGwduC6m@mail.gmail.com> <067D69D3-6E06-4B53-B9AB-A39B3DE9E957@facebook.com> <82D12A9F-B304-439D-80F9-943ECB5F8BBF@gmail.com>
In-Reply-To: <82D12A9F-B304-439D-80F9-943ECB5F8BBF@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_DADD7EAD88AB484D8CCC328D40214CCD0179258EFDEXPO10exchang_"
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAA==
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Username and Password flow: no captcha?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2010 20:24:12 -0000

What if the username/password (or PIN) was used to release a secret (located in an OTP dongle) or to exercise a secret key (symmetric or asymmetric) located in a smartcard or TPM chip?

Reading Section 3.8, it seems it covers these cases already (or am I reading the wrong section). In Figure 6, the "Client" would be the code contained in the auth-device (or the code that invokes the underlying auth-device).

Section 3.7 on device flows does not look as if it was written with these portable auth-devices in mind.

/thomas/


__________________________________________

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Dick Hardt
Sent: Monday, June 07, 2010 2:40 PM
To: Luke Shepard
Cc: OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] Username and Password flow: no captcha?

Background: The username / password flow can be used to brute force attack a system to find valid credentials. A captcha is presented to slow the attack down -- similar to what happens when you log in with an invalid password on a webpage.

The captcha would be displayed by the app for the user to enter in if the AS thinks it is getting attacked from that IP or whatever. The captcha does not require a web browser -- it actually does make sense for most of the Facebook clients.

The captcha was dropped because there were a number of aspects that had not been standardized, so it was decided to drop it from the core.


On 2010-06-07, at 11:30 AM, Luke Shepard wrote:


The username/password flow is designed to work in a situation where there is no web browser available. At least at Facebook, none of our clients implement captcha - it doesn't really make sense in many contexts.

A provider is still welcome to offer a non-standard captcha support but it shouldn't be part of the core spec.

On Jun 7, 2010, at 8:40 AM, Andrew Arnott andrewarnott@gmail.com<mailto:andrewarnott@gmail.com> wrote:


In WRAP, there was a CAPTCHA in this profile, but I don't see it in the latest OAuth 2.0 draft.  Since I've already implemented the CAPTCHA stuff from WRAP, I'll leave it there if the OAuth 2.0 is likely to pick it up, or rip it out now if OAuth 2.0 decided it wasn't necessary.

Does anyone from the WG have something they can say on the subject?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre

<ATT00001..txt>

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email