[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-anastasis] branch master updated (7d63fbc -> fb7fc68)
From: |
gnunet |
Subject: |
[taler-anastasis] branch master updated (7d63fbc -> fb7fc68) |
Date: |
Mon, 08 Jun 2020 20:51:27 +0200 |
This is an automated email from the git hooks/post-receive script.
dennis-neufeld pushed a change to branch master
in repository anastasis.
from 7d63fbc Merge branch 'master' of ssh://git.taler.net/anastasis
new 48e8fe1 fix token
new fb7fc68 fix token
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
doc/thesis/related_work.tex | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
diff --git a/doc/thesis/related_work.tex b/doc/thesis/related_work.tex
index 8c458fc..bbf71ca 100644
--- a/doc/thesis/related_work.tex
+++ b/doc/thesis/related_work.tex
@@ -223,6 +223,12 @@ single authentication method by itself is usually
vulnerable.
Multi-factor authentication combines multiple authentication
procedures to enhance the security of the system.
+During procedure of some authentication methods a so called token is
+sent to the user. The user than has to provide the token to authorize.\\
+The token should be a randomly generated passphrase which has at
+least 128 bits of entropy. It is best practice for a token to have an
+expiration time, although this is not relevant for security of Anastasis.\\
+
Anastasis is designed to use a wide range of authentication methods to
authenticate its users. Even though the user in Anastasis is free to
specify only one authentication method, we strongly recommend the use
@@ -339,16 +345,7 @@ Authentication by email is similar to SMS authentication.
Here,
the user receives a token by email and has to provide it during the
authentication process.
-% CG: FIXME: (1) I don't buy the validity period, how does it help?
-% CG: FIXME: (2) This also applies to SMS, why have it here?
-The handling of this token needs some
-considerations. The token should have a validity period, this means
-for example the token would only be valid for one hour. This is a
-security measure to prevent malicious actions if the user's email
-account was compromised. Also the token should be a randomly generated
-passphrase which has at least 128 bits of entropy.
-
-Another important part is that the email should not already contain the
+It is important that the email should not already contain the
requested information, so in the case of Anastasis the keyshare. This
is because the SMTP protocol used for email offers no hard security
assurances. In particular, the email is likely to be stored for a
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
- [taler-anastasis] branch master updated (7d63fbc -> fb7fc68),
gnunet <=