7183Security of passwordless systems
- Jul 17, 2014I have written an article on security of passwordless systems, using email or SMS for side-channel auth. My intention with this writing is to harden this new class of systems by initiating community review and security auditing.This previous article of mine will explain the context:From the perspective of decentralized architectures, passwordless systems are interesting because they are at least as decentralized as URL-based systems like OpenID and Oauth but do not require a new protocol. There is considerably less friction to wide adoption.Passwordless auth using email or SMS is interesting because it is as decentralized as oauth but can't be captured by Facebook and Twitter. It has a plausible chance of breaking out of the trap in which oauth is currently stuck.You can help by:1. Inviting the security community to audit these new systems. Help spread the word.2. Thinking and commenting on security of these new systems. Do your own writing on the topic.
- Next post in topic >>