The PIN could actually be delivered out of band at the time of
authorization (via SMS, for example).
I agree that more shared secrets doesn't necessarily help things, but
it's like FriendFeed's Remote Key... I'm not a huge fan of it since it
puts the burden on the user to remember yet another
On Wed, Jan 28, 2009 at 6:41 PM, George Fletcher gffle...@aol.com wrote:
The request is only valid if the receiving
authentication system can generate the signature using the password for
that user.
Lots of authentication servers can't do that, because they do not keep
a clear-text version of
