Given all the drawbacks of passwords there isn't really an alternative to passwords for me. For example, what do you do if you only have 2-factor auth and you lose access to all your devices/docs? e.g. when you are on holidays?
PAKE supports in the browser would be awesome. Some applications for it:
Somehow this seems to say distrust the user. I get the drawbacks that the user is the weakest link here. However, is there still a method to trust the user to hold the data even if they don't know the secret during the authentication. For instance, I have very long complicated generated in a password manager. I still have ownership over the passwords and in a sense the user is still trusted even if they don't have those passwords/secret memorized.
I don't think for the average user a hardware token is going to become mainstream, nor do I think biometrics is appropriate due to the privacy aspect and spoofing techniques.
This works fairly well when you are using it for 1 or 2 services. But if I use this hardware device for every service I use creating a new device would be a month long process, and missing one service could result in lock-out.
I do the same with my PGP key. I keep the "original" key offline and securely stored but I clone the key into my HSMs. That way the devices I use daily and frequently carry around can't be cloned and have strong brute-force protection (although malware could use my key while the device is compromised) and I can still "mint" new hardware devices without updating my PGP key everywhere and worrying about re-encrypting all old data that I still need.
This is definitely less secure than using keys generated on hardware devices but for most of my usecases this tradeoff makes more sense.
This means you have to pull your backup key out of storage every time you register for a new service. And that rules out a lot of safe places to keep it at.
Readit News
PAKE supports in the browser would be awesome. Some applications for it:
https://www.researchgate.net/publication/325142389_AuthStore...
(swap the proposed PAKE for OPAQUE)
I don't think for the average user a hardware token is going to become mainstream, nor do I think biometrics is appropriate due to the privacy aspect and spoofing techniques.
I do the same with my PGP key. I keep the "original" key offline and securely stored but I clone the key into my HSMs. That way the devices I use daily and frequently carry around can't be cloned and have strong brute-force protection (although malware could use my key while the device is compromised) and I can still "mint" new hardware devices without updating my PGP key everywhere and worrying about re-encrypting all old data that I still need.
This is definitely less secure than using keys generated on hardware devices but for most of my usecases this tradeoff makes more sense.