top | item 9673820

(no title)

Direct | 10 years ago

I'm not sure if I follow, I don't see what the benefit is in defining an authentication protocol like this based on passwords. If websites are going to actually work with this protocol, why not use public key authentication or any of several other existing authentication protocols. Maybe I'm missing something, but unless this somehow eases the distance between password based authentication and other methods then it seems kind of like trying to shuffle our human password schemes into a protocol where details like a unique password shouldn't need to matter anymore anyway.

I'm a little confused.

discuss

brownbat|10 years ago

> Maybe I'm missing something, but unless this somehow eases the distance between password based authentication and other methods

Spot on.

PKI would be a good endpoint, but adoption is slow, probably because it's a weird leap for a lot of people. So I see this as a transitional step, a methadone for our addiction to passwords, because it could get people used to passwordless logins. It could help people adapt to a service or dongle that handles all their authentication. After that, it's a short hop to have PMs just become "authentication providers," and have them and websites figure out the best backend.

Thanks though, it's a fair point to keep in mind, PKI might even be worth holding up as the ideal in the protocol.