username and a password for authentication. But there are a few problems with this approach. This system requires you to give information you need to keep secret (your password) to a website. Some information that must be kept secret is no longer in your control.
losing control of customer data. Recently youporn.com was compromised and emails with passwords were posted online. Many people reuse their email and password combination on different websites immediately making their accounts on other websites vulnerable.
handle your password. Many websites will compromise the strength of your password by limiting its length. For example, my bank does not allow passwords longer than 8 characters.
it? OAuth uses session keys instead of a username and password to login. However there is a catch. You are still required to login to Facebook, Twitter, or Google with a username and password.
still trust Facebook. Most OAuth providers have a page that lists websites you have authenticated to. An attacker can determine which websites you have authorized. A compromised Facebook account means websites authorized through Facebook are now accessible to the attacker.
with Twitter that site is given your Twitter username. If you login to second website with your Twitter account, this site will also be given your Twitter username. This means that you can be identified across websites based upon your Twitter username. An attacker can assume that the same person on Site 1 is also using Site 2. This lets them track you between websites.
that you own an email address. This system requires that you trust a third-party who vouches for you. This basically says: “Yes, this person owns that email address.” Like OAuth with Twitter, the email address can identify you uniquely around the web.
elegance using public key cryptography. With TrustAuth, two keys are created: • Private Key - similar to a password, must be kept secret • Public Key - can be shared with anyone These two keys are mathematically linked.
This replaces your typical username. The website encrypts random data and sends it to the user's browser. The data is decrypted using their private key and sent back to the server for verification. If successful, the user has proven his or her identity and can be logged in. The server never has access to your private key meaning that your account cannot be compromised because of a security breach on the website. TrustAuth: How It Works
about how a website stores a password because you don't reveal your private key. Unlike OAuth or BrowserID, you never have to trust a third- party. Security breaches are contained. A stolen account on one website cannot compromise accounts on other websites. TRUSTAUTH: OVERVIEW
romaimperator
hayatow
rockname
vinceamstoutz
moro
javiergs
takefumiyoshii
ski
yotahada3
kishikawakatsumi
takahashiikki
fujidomoe
katayamatg
thoeni
sonatard
jlugia
chriscoyier
jakevdp
aarron
kastner
chrislema
zakiyama
chrisshort
lara
mza
