Hi Anders, Isn't FIDO2 (aka W3C Web Authentication + CTAP) with an NFC authenticator a more thorough version of your site-PC-NFC-mobile scheme? Both have communications from a site to the PC/browser then over NFC to a mobile that has a crypto key. FIDO assumes the browser checks the web site authentication; your scheme has a "Web NFC driver" to do this task. The communication channels in the reverse direction are different: FIDO re-uses the same NFC channel; your scheme uses the mobile's own network. But as the security comes from the mobile's private key, there seems to be little benefit from having a separate channel - only a downside if it isn't available.
[1] DRAFT W3C Web Authentication; https://w3c.github.io/webauthn/ [2] DRAFT FIDO 2.0 Client to Authenticator Protocol (CTAP): NFC; https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#nfc -- James Manger -----Original Message----- From: jose [mailto:[email protected]] On Behalf Of Anders Rundgren Sent: Monday, 9 July 2018 10:17 PM To: [email protected] Subject: [jose] Security Evaluation Request If there is anybody out there interested in Web security schemes relying on OOB channels, I would very much appreciate a review or just comments: https://github.com/cyberphone/qr-replacement#a-better-qr If you wonder who actually use such schemes, they currently involve a billion users or so although most of them are about payments rather than user authentication. This posting is also meant to serve as a defensive publication. thanx, Anders _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
