On Thu, Mar 2, 2017 at 12:51 AM, Alex Jordan <alex(_at_)strugee(_dot_)net>
wrote:
Heya!
A widely deployed way to do two-factor authentication is
TOTP. However, when used with an Android device Google Accounts have a
really nice flow where Google will send a push notification to the
Android device, which will then prompt the user with a "yes/no"
question as to whether they were trying to log in or not. From a UX
perspective this is much nicer than opening an app, manually typing in
a code, etc.
With WebPush core having been just ratified as RFC 8030, the time
seems ripe for standardizing an authentication scheme like described
above.
I have two questions:
1. Is there interest in creating such a standard at the IETF?
2. If there is, where would be the best place to do that work? I'm
relatively new to the IETF - I poked around Datatracker's list of
Working Groups and there didn't seem to be one that really fit that
well. Did I miss something? Or should this go through the IETF
individual submission track?
Please CC me on replies; I'm not subscribed.
i am interested and have developed several protocols of this type using
JSON. My work provides prior art back to 2010 at the very least.
What we are discussing goes beyond two factor auth. If you have a cell
phone with a device specific signature key, it can sign the response which
means that you automatically collect up a non repudiable audit log of the
user's actions. This is beyond anything possible with OTP number sequences
or USB dongles.