On Fri, Sep 13, 2013 at 8:38 AM, Tyler Romeo tylerromeo@gmail.com wrote:
On Fri, Sep 13, 2013 at 11:13 AM, Chris Steipp <csteipp@wikimedia.org
wrote:
This of course means that we would condone users giving their username/password to a potentially trojaned desktop application, for the benefit that honest apps would be able to easily store a token instead of the username/password combination and prevent a later attacker from
getting
full access to a user's account through their password.
Does the community feel like that's a reasonable tradeoff?
I have another idea: application passwords. Google has them. Facebook has them. And they're basically like OAuth tokens except a bit more permanent.
It's definitely something to consider. I don't want to create too many different authentication schemes, since that means someone who has a fair amount of security understanding will need to maintain them long term. But, I definitely see the use for them, and they could probably plug into MediaWiki exactly like OAuth.
Of course the drawback of them vs OAuth is that the password still needs to be secret (so only submitted over https), whereas having the consumer secret really secret lets the consumer ensure integrity of the message over http. But again, that really only would affect users where https is restricted.
For those not familiar with the concept, Google and others have a section in your account settings that allow you to generate application passwords. You then give this password to the application in lieu of your actual password. Of course, it can be revoked at any time, and it'd be trivial to implement scoping on these application passwords. If anything we could just have them act exactly like OAuth access tokens.
While I do think that there is definitely a bit of trust that goes into giving an application access to your account, there are definitely methods we could employ to avoid letting users give their password directly to an application.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l