[Standards] Request for Comments: XEP: Two-factor user authentication with a shared secret

Teemu Väisänen uolevi at gmail.com
Wed Feb 5 14:14:17 UTC 2014


Hello.

I have updated my XEP proposal, you can find it from
https://a2nets.erve.vtt.fi/TeemuVaisanen?action=AttachFile&do=view&target=xep-0000-UserAuth-draft-0.0.2.html

We were wondering if it would be secure enough if the Prover client
logins and tells this and its JID to the Verifier client (e.g., if
both clients are running in same device)? So no ad-hoc commands or any
transmitted secrets would be necessarily needed... Then the Verifier
could be sure that the user of the Prover's account has access to the
device where the Verifier is running, right?

-Teemu


2013-12-20 Teemu Väisänen <uolevi at gmail.com>:
> Thank Sergey for your message.
>
> I try to clarify it with a simple example with a device. Does it make any sense?
>
> A presents XMPP account of a user U.
> B presents XMPP account of the device D.
> U does not know B.
> U knows D and has it in his/her hand.
> A does not (necessarily) know B.
> B does not (necessarily) know A.
>
> 1. U starts D.
> 2. B logins in D.
> 3. A logins in D.
> 4. B generates a shared secret K.
> 5. B transmits K to A, e.g., programmatically when both A and B are in same D.
> 6. Both A and B know now each other (at least inside the program).
> 7. A sends K to B using presented new ad-hoc commands. A may logout
> anytime after succesful transmission.
> 8. B checks if sender's full JID is known A's full JID and checks if
> received K is correct or not.
> 9. B can be sure whether A really exists or not, whether U knew A's
> credentials or not, and that A and no-one else sent the wanted K.
>
> After this B may check, e.g., if A is authorized or not to access
> certain resources, do something, or start something.
>
>
> -Teemu V
>
>
> 2013/12/20 Sergey Dobrov <binary at jrudevels.org>:
>> Hello Teemu,
>>
>> I would like to see some example chart of some example how it works and
>> why does it need. Because current text description in the first
>> paragraph is hard to understand, from my point of view.
>>
>> Thanks.
>>
>> On 12/19/2013 06:04 PM, Teemu Väisänen wrote:
>>> Hello all.
>>>
>>> I have written a new proposal for a XEP: Two-factor user
>>> authentication with a shared secret. html and xml files can be
>>> downloaded from https://a2nets.erve.vtt.fi/TeemuVaisanen
>>>
>>> For the next version we have to think, e.g., if there should be only
>>> one ad hoc command to ask all supported mechanisms or use separate
>>> commands for each authentication mechanism (as in current version).
>>>
>>> Any questions, comments and suggestions are welcome.
>>>
>>> Best regards,
>>>
>>> Teemu Väisänen
>>>
>>
>>
>> --
>> With best regards,
>> Sergey Dobrov,
>> XMPP Developer and JRuDevels.org founder.



More information about the Standards mailing list