Edward Ned Harvey wrote: > SQRL is something you have - it's yet another key manager...
It's not quite so black-and-white. The master key is encrypted with a pass phrase, so that's something you know. I believe the master key isn't directly derived from the pass phrase, so you still need to "have" the key in some way. > I am in favor of 2-factor authentication, involving something you > know, *and* something you have. The decryption of the master key could involve a 2nd (3rd?) factor. > cbcrypt.org...takes hostid, username, and password, and converts them > into an asymmetric keypair. Only the public key gets exposed to the > server, so the server is able to confirm that *you* know your secret, > without the server actually knowing your secret. SQRL uses an identical mechanism, but uses different source material for the site-specific key. -Tom -- Tom Metro The Perl Shop, Newton, MA, USA "Predictable On-demand Perl Consulting." http://www.theperlshop.com/ _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
