+Ryan Kelly since password reset involves accounts
Very interesting article Ryan. I look forward to seeing what password reset
UX alternatives you will propose. I was under the impression that SMS
wouldn't work for us. Do you think that SMS could be a viable option?
Thanks for sharing.
--
Alex D
I've begun researching good examples for security questions, as I imagine
they are hard to solicit unique and memorable responses across the globe. I
came across this paper by Google that is essentially declaring them dead.
https://security.googleblog.com/2015/05/new-research-some-tough-questions-f
Thanks Chris for sharing.
I have a 1:1 with RFeeley today and we will look over this together.
--
Alex Davis // Mountain View
Product Manager // FxA & Sync
(415) 769-9247
IRC & Slack: adavis
On Fri, Aug 26, 2016 at 4:44 PM, Christopher Karlof
wrote:
> Let me take this opportunity to make sure
On Mon, Aug 29, 2016 at 4:01 PM, Ryan Kelly wrote:
> On 27/08/2016 09:44, Christopher Karlof wrote:
> > Let me take this opportunity to make sure this problem is framed
> correctly:
> >
> > *Our goal is increase user success and satisfaction in their experience
> > using Sync, specifically when c
On 27/08/2016 09:44, Christopher Karlof wrote:
> Let me take this opportunity to make sure this problem is framed correctly:
>
> *Our goal is increase user success and satisfaction in their experience
> using Sync, specifically when connecting additional devices.*
I have no beef with this framing
Let me take this opportunity to make sure this problem is framed correctly:
*Our goal is increase user success and satisfaction in their experience
using Sync, specifically when connecting additional devices.*
The obvious problem that’s been identified is that in the current system,
when users go
Thank you for your answer Richard.
> Ryan's thread is about ways we can give those users an experience
closer to Dropbox: reset your password but keep your data.
>
> It sounds like you're talking about the space on the other side:
reducing the dependence on a single password.
> Am I reading you co
>
> I like the idea of having an encryption key that is generated randomly.
>
We used to do that. The difficulty was in moving it around between
machines. We used J-PAKE to exchange credential bundles, but that required
users to have both devices together at the same time. We used
printable/savable
>
> Great discussion. The worry I have with any stored key file is that I
> suspect many of the users resetting their passwords no longer have the old
> hardware. Their old one died. They bougt a new one. Signed in to their
> cloud accounts, and treated Firefox like any other cloud-based account.
>
Great discussion. The worry I have with any stored key file is that I
suspect many of the users resetting their passwords no longer have the old
hardware. Their old one died. They bougt a new one. Signed in to their
cloud accounts, and treated Firefox like any other cloud-based account.
Maybe anoth
My suspicion is that non-tech users do one of these things:
1. Blame themselves if they can't remember the answers. They remember going
through the process… gosh darn my bad memory, I'm just not good with
computers.2. Get the answers right (at least after trying different
capitalization), becaus
I thought we all assumed 'security questions' are just security
vulnerabilities, and just fill them in with `crypto.randomBytes(64)`.
On Mon, Aug 22, 2016 at 5:59 PM Julien Vehent wrote:
> On Tue 23.Aug'16 at 10:48:28 +1000, Ryan Kelly wrote:
> > On 23/08/2016 10:43, Richard Newman wrote:
> > >
On Tue 23.Aug'16 at 10:48:28 +1000, Ryan Kelly wrote:
> On 23/08/2016 10:43, Richard Newman wrote:
> > Under the hood there would be a bunch of shamir's secret sharing and key
> > wrapping palaver to actually make things go.
> >
> > You mean like wrapping the user's kB with their own kA (p
On 23/08/2016 10:43, Richard Newman wrote:
> Under the hood there would be a bunch of shamir's secret sharing and key
> wrapping palaver to actually make things go.
>
> You mean like wrapping the user's kB with their own kA (prove ownership
> of your account) plus your friend's kB (prove
>
> Under the hood there would be a bunch of shamir's secret sharing and key
> wrapping palaver to actually make things go.
>
You mean like wrapping the user's kB with their own kA (prove ownership of
your account) plus your friend's kB (prove non-resetness of their account)?
Yeah, that's a dance,
On 23/08/2016 09:56, Julien Vehent wrote:
> On Mon 22.Aug'16 at 14:43:42 -0700, Richard Newman wrote:
>> Another option is to build a key escrow service, similar to the one Apple
>> hosts for FileVault encryption keys.
>>
>> A key escrow service would instead wrap a copy of kB with additional crypt
On 23/08/2016 10:17, Richard Newman wrote:
> Maybe we could build an escrow service that's still in control of
> the user,
> for example by splitting the recovery key using shamir's secret
> sharing and
> assigning each part to a recovery step, with a threshold of 3 to
> rec
>
> Maybe we could build an escrow service that's still in control of the user,
> for example by splitting the recovery key using shamir's secret sharing and
> assigning each part to a recovery step, with a threshold of 3 to
> reconstruct
> the recovery key.
>
> That's hard to do in practice, but s
On Mon 22.Aug'16 at 14:43:42 -0700, Richard Newman wrote:
> Another option is to build a key escrow service, similar to the one Apple
> hosts for FileVault encryption keys.
>
> A key escrow service would instead wrap a copy of kB with additional crypto
> — print-and-save keys, a long series of que
Another little bit of history: we discussed having a 'slider' when you set
up Sync, either per-account or per-datatype:
* I prioritize recovery over security: keep my data if I reset my password
(use kA)
* I prioritize security over recovery (use kB)
* I prioritize security over convenience (use "
Hi deep Syncers,
Users forget passwords. We can’t stop this; but perhaps we can eliminate the
instances of single-device users resetting their passwords and destroying
potentially the only back-up they have of their bookmarks, passwords, etc.
Some questions I’m aiming to get answered:
How many
21 matches
Mail list logo
