Re: Interest in a push-based two-factor auth standard?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Alex,

The applications area uses a working group called DISPATCH to answer the question "where should this work go?", so you might start by writing up the idea as an Internet draft and submitting to DISPATCH.  The Security area uses the saag list for similar discussion, if you think it is more of a security topic than a usage of web push.

regards,

Ted


On Wed, Mar 1, 2017 at 9:51 PM, Alex Jordan <alex@xxxxxxxxxxx> wrote:
Heya!

A widely deployed way to do two-factor authentication is
TOTP. However, when used with an Android device Google Accounts have a
really nice flow where Google will send a push notification to the
Android device, which will then prompt the user with a "yes/no"
question as to whether they were trying to log in or not. From a UX
perspective this is much nicer than opening an app, manually typing in
a code, etc.

With WebPush core having been just ratified as RFC 8030, the time
seems ripe for standardizing an authentication scheme like described
above.

I have two questions:

1. Is there interest in creating such a standard at the IETF?

2. If there is, where would be the best place to do that work? I'm
relatively new to the IETF - I poked around Datatracker's list of
Working Groups and there didn't seem to be one that really fit that
well. Did I miss something? Or should this go through the IETF
individual submission track?

Please CC me on replies; I'm not subscribed.

Cheers!

AJ


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]