[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-anastasis] 01/02: fix token
From: |
gnunet |
Subject: |
[taler-anastasis] 01/02: fix token |
Date: |
Mon, 08 Jun 2020 20:51:28 +0200 |
This is an automated email from the git hooks/post-receive script.
dennis-neufeld pushed a commit to branch master
in repository anastasis.
commit 48e8fe13d66d898d239a64a99e14ce8a2d35814b
Author: Dennis Neufeld <dennis.neufeld@students.bfh.ch>
AuthorDate: Mon Jun 8 18:49:44 2020 +0000
fix token
---
doc/thesis/related_work.tex | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/doc/thesis/related_work.tex b/doc/thesis/related_work.tex
index 8c458fc..7c6ea02 100644
--- a/doc/thesis/related_work.tex
+++ b/doc/thesis/related_work.tex
@@ -223,6 +223,12 @@ single authentication method by itself is usually
vulnerable.
Multi-factor authentication combines multiple authentication
procedures to enhance the security of the system.
+During procedure of some authentication methods a so called token is
+sent to the user. The user than has to provide the token to authorize.\\
+The token should be a randomly generated passphrase which has at
+least 128 bits of entropy. It is best practice for a token to have an
+expiration time, although this is not relevant for security of Anastasis.\\
+
Anastasis is designed to use a wide range of authentication methods to
authenticate its users. Even though the user in Anastasis is free to
specify only one authentication method, we strongly recommend the use
@@ -339,15 +345,6 @@ Authentication by email is similar to SMS authentication.
Here,
the user receives a token by email and has to provide it during the
authentication process.
-% CG: FIXME: (1) I don't buy the validity period, how does it help?
-% CG: FIXME: (2) This also applies to SMS, why have it here?
-The handling of this token needs some
-considerations. The token should have a validity period, this means
-for example the token would only be valid for one hour. This is a
-security measure to prevent malicious actions if the user's email
-account was compromised. Also the token should be a randomly generated
-passphrase which has at least 128 bits of entropy.
-
Another important part is that the email should not already contain the
requested information, so in the case of Anastasis the keyshare. This
is because the SMTP protocol used for email offers no hard security
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.