undefined | Better HN

0 pointslelanthran2y ago0 comments

> I don't think they actually have to come up with a replacement for "something the person knows," they just need to prove it's already not there to be replaced.

I don't know what this means.

Once you've identified a person, you still have to authenticate that they aren't masquerading as someone else. The replacement I asked for is not "how do I identify who I am talking to", it's for "Right, now that I've identified them, how do I verify that it really is* them."*

If you want to do away with passwords, tokens are no replacement.

> With password managers, the password becomes more like something the person has anyway.

Maybe. The user still has to both identify and authenticate themselves to the password manager anyway, so you can give access to the password manager as a "something they know" anyway.

0 comments

1 comments · 1 top-level

starttoaster2y ago

> I don't know what this means.

You responded to this after your second quotation, I effectively said the same thing twice in different ways to make my point. Hopefully you understand it now. To be fair, it's a somewhat complicated sentence, took me a while to put that thought into words.

> so you can give access to the password manager as a "something they know" anyway.

Mostly true. Ignoring password manager breaches, as that hurts your argument a little. Security researchers are currently of the opinion that the last LastPass security breach leaked people's encrypted password vaults, which people have somehow managed to decrypt since then. In that case, the password was something the attacker had, not something they had to know. But I think I mostly agree that access to the password manager can at least (mostly) be seen as something they know.

j / k navigate · click thread line to collapse