Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The authentication providers are more than just email (the article mentions phone and SMS tbd).

I'm not sure what you're saying here:

> (Hashed) Password storage is moved to a third-party database (the email provider)

There is no hashed password? It's just a challenge response using an alternative path.



My assumption is that a "login key" is essentially a large piece of data that would be prohibitively inconvenient to use outside of an email account, text, etc. Analogous to a large session cookie without an expiration date.

In contrast, a password is designed to be used from any login point.

In this regime, unless the optional password is used, there is no hashed password stored on Mozilla's servers. Only a copy of the hash of the "login key" is stored, so the attack surface is considerably shrunk if you are attacking Webmaker users.


More technical details here from the post:

https://chrisdecairos.ca/one-time-passwords-pt-2/

I'm not totally clear about what the different between a "login key" (short-lived, pronounceable) and whatever is contained in these semi-permanent login email links (~1 year, presumably non-pronounceable).


The login key is in the article in the example screenshot[1]: 'hopping-smiles'.

[1]: http://notebook.ideapublic.org/wp-content/uploads/sites/5/20...


The onus on protecting the users password is now on the email provider, since they aren't going to have this kind of system


No the onus is still on the user. How does the onus move to the channel provider?

I don't see a difference in this and 'Reset your password' links in emails that are common place. They are basically the same premise, without the password.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: