On 7/3/23 2:08 AM, josh.howlett@xxxxxxxxx wrote:
OAuth is a terrible solution, but it scrapes the "good enough" criterion (with guardrails, like MFA). And, besides, what else could be done? This is a dismal situation, but I think revisiting RFC 8252 without offering an alternative would be a futile gesture that would do nothing to improve it.
As far as what else can be done, I think quite a lot these days can be
done. If we replaced passwords with public key crypto (webauthn,
webcrypto) and just store the public keys on-site, what is the point of
single sign on? I mean, maybe people love Facebook hoovering up where
you're logging in, but I don't. Maybe it's marginally easier to sign on
with oauth these days, but if it's like an ecommerce site they are going
to need your email anyway. Also: browsers auto-fill almost everything
typically used so even that's not much of an advantage.
I wrote a proof of concept for a site using public key login/join a
while back just using webcrypto. For your average site, the heavy
machinery of webauthn which to my knowledge still doesn't allow for
local credentials (ie, stored in the browser itself) as implemented by
the various browsers. My code is very very simple and its
straightforward to modify the user database to accommodate multiple
devices -- which lots of sites already do for security tracking, so it's
just a matter of adding a public key to it.
Here's a link to my site that uses it:
https://out.mtcc.com/hoba-bis/
Mike
