On 13 January 2015 at 21:30, Chris Hartmann <[email protected]> wrote: > Presumably your credentials > to okta.com are a risk to the company if compromised. If a phisher > sent you an email claiming to be okta.com with a link to a fake but > believable hostname, say otka.com (see what I did there), you happen > to click the link and are on the verge of providing your credentials, > you are now in a situation where your perception of the hostname is > the only indication to spark your skepticism and avoid compromise.
SRP [1] and J-Pake [2] protocols solved that problem long time ago - the idea is that one use a password not only to authenticate self to a host but also to verify that the host does know your password without reveling the password to the host. Unfortunately the browser support is lacking, so one needs a browser extension to support that. [1] - http://srp.stanford.edu/ [2] - http://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
