Radical Shift Behind Login Process Emerges Slowly, Half-Baked
Twitter’s solution still falls short. Is it intuitive, seamless? Na-wwt-so-much. They’re missing the final puzzling piece of an equation say Twitter engineers.
Why is the solution unfinished? Probably because they haven’t a clue what to look for (theory-wise)… how missing final steps will perfect the process. There’s a blank slate when it comes down to engineers at Twitter plans to start building or even how this missing mystery-piece might work.
Overhauling process before producing devices is now the right direction. Embracing chaos is even better. However, the search for a quantum leap in encryption, access control & secure data storage rages on. Make no mistake, it is coming to the weary masses at an ever increasing pace.
Traditional two-factor authentication protocols require a shared secret between the user and the service. For instance, OTP protocols use a shared secret modulated by a counter (HOTP) or timer (TOTP). A weakness of these protocols is that the shared secret can be compromised if the server is compromised. We chose a design that is resilient to a compromise of the server-side data’s confidentiality: Twitter doesn’t persistently store secrets, and the private key material needed for approving login requests never leaves your phone.
And so, a partially complete protocol is behind Twitter’s new-fangled authentication scheme, which is solid–ish. | Read The Full Wired Story