[taler-anastasis] 01/02: fix token

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[taler-anastasis] 01/02: fix token

From:	gnunet
Subject:	[taler-anastasis] 01/02: fix token
Date:	Mon, 08 Jun 2020 20:51:28 +0200

This is an automated email from the git hooks/post-receive script.

dennis-neufeld pushed a commit to branch master
in repository anastasis.

commit 48e8fe13d66d898d239a64a99e14ce8a2d35814b
Author: Dennis Neufeld <dennis.neufeld@students.bfh.ch>
AuthorDate: Mon Jun 8 18:49:44 2020 +0000

    fix token
---
 doc/thesis/related_work.tex | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/doc/thesis/related_work.tex b/doc/thesis/related_work.tex
index 8c458fc..7c6ea02 100644
--- a/doc/thesis/related_work.tex
+++ b/doc/thesis/related_work.tex
@@ -223,6 +223,12 @@ single authentication method by itself is usually 
vulnerable.
 Multi-factor authentication combines multiple authentication
 procedures to enhance the security of the system.
 
+During procedure of some authentication methods a so called token is 
+sent to the user. The user than has to provide the token to authorize.\\
+The token should be a randomly generated passphrase which has at 
+least 128 bits of entropy. It is best practice for a token to have an 
+expiration time, although this is not relevant for security of Anastasis.\\
+
 Anastasis is designed to use a wide range of authentication methods to
 authenticate its users. Even though the user in Anastasis is free to
 specify only one authentication method, we strongly recommend the use
@@ -339,15 +345,6 @@ Authentication by email is similar to SMS authentication. 
Here,
 the user receives a token by email and has to provide it during the
 authentication process.
 
-% CG: FIXME: (1) I don't buy the validity period, how does it help?
-% CG: FIXME: (2) This also applies to SMS, why have it here?
-The handling of this token needs some
-considerations. The token should have a validity period, this means
-for example the token would only be valid for one hour. This is a
-security measure to prevent malicious actions if the user's email
-account was compromised. Also the token should be a randomly generated
-passphrase which has at least 128 bits of entropy.
-
 Another important part is that the email should not already contain the
 requested information, so in the case of Anastasis the keyshare.  This
 is because the SMTP protocol used for email offers no hard security

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.

[Prev in Thread]

Current Thread

[Next in Thread]

[taler-anastasis] branch master updated (7d63fbc -> fb7fc68), gnunet, 2020/06/08
- [taler-anastasis] 02/02: fix token, gnunet, 2020/06/08
- [taler-anastasis] 01/02: fix token, gnunet <=

Prev by Date: [taler-anastasis] 02/02: fix token
Next by Date: [libeufin] branch master updated: sandbox support for multi-segment EBICS download transactions
Previous by thread: [taler-anastasis] 02/02: fix token
Next by thread: [libeufin] branch master updated: sandbox support for multi-segment EBICS download transactions
Index(es):
- Date
- Thread