> Entering a password into an HTML form is NOT SECURE, period.
What I meant by needing the user to enter a password (whether in a web app or native app) is that the user will still need to use a password manager and 2FA for decent security in the case that their password is compromised elsewhere. And no, you don't have to combine it with bruteforce if someone knows the password you use on an app that utilizes SRP. So it's not lightyears from what we have now. If you have the password, you can log in, whether the server uses OPAQUE or simply checks the hash.
A browser extension is still insecure third-party JS code. I honestly think there's no way to securely implement it for browsers, but it'd work well in native apps.
> Don't rely on someone else's computer for your own security.
Precisely. Use a password manager and assume the server is going to be compromised one day. Assume you might be phished one day, so you shouldn't use the same password for everything. That's the right mindset.
A salted hash is what all ZKPP implementations end up with. You can still figure out the user's password by bruteforcing the password verifier, because it's the hashed result of the ZKP's algorithm. My case in point is that you're achieving the same level of security as HTTPS + salted hash except in 7+ steps, each step leaving room for improper implementation.
Compromised where elsewhere? I control my password, so I know exactly where it goes and doesn't go. And the only place it ever goes is the little green box in my zero knowledge password extension (or native app if you prefer). I, as the user, have complete control over my own security. If my password was compromised in any way other than brute force, I can be 100% sure it was my own fault. Maybe I didn't inspect the source code well enough, maybe I talk in my sleep, but it's all on me. Saying that someone can obtain my ZKPP password through a different channel is just as nonsensical as saying that someone could get their hands on my password manager's master password if I once made an account on a pizzeria's site with the same credentials. Well, I shouldn't have.
Conversely, if an attacker obtains part of a server log from example.com, and my password is in there, they can impersonate me on example.com. It doesn't help that they can't impersonate me elsewhere because I don't reuse passwords. The damage is already done. That's because I trusted example.com to handle my credentials securely, and they didn't. I, as the user, had zero say about how secure the authentication process should be.
While I wholeheartedly agree that using different passwords, having 2FA enabled etc. is always better than not doing so, what I don't like is that these additions came about as artifacts of the crappy way we handle authentication. I want them to be a nice-to-have, an extra line of defense, not forced solutions born out of necessity.
Perhaps you have a keylogger on your computer. Or a malicious app was able to access your clipboard. Or a third-party script on the site hijacked the form submission (Magecart, which is still an issue to this day). Or perhaps you're using a native app that isn't open-source, and they send your credentials to their servers to create their own list of passwords for credential stuffing elsewhere. There are many possible channels to be compromised. Sure, these are "user errors," but people have to use proprietary apps and websites for their day-to-day life. And people still get phished.
And so, users shouldn't trust websites. That's why the browser is sandboxed. They shouldn't trust proprietary apps either, but now Mac/Windows users are accustomed to letting apps elevate their privileges upon installation. Assume they won't handle your credentials securely, and you'll be better off when security does inevitably break somewhere down the line.
You're wanting an ideal world where every service everywhere is using some sort of ZKPP for authentication, both the client and server are open source with reproducible builds, have security audits, and their users don't reuse passwords. I would love this too, but it's not reasonable. There's a huge educational and governmental gap for society to get there.
We'll always need password managers and 2FA; globally-enforced ZKPP's still won't stop that. Perhaps there's a use-case for them elsewhere that will be revolutionary, like end-to-end encryption with messaging apps. But for authentication? Just send it over HTTPS.
If I had a keylogger or other spyware, even my password manager's master password wouldn't be safe, so that line of reasoning still doesn't sound convincing to me. :) Only 2FA could prevent that, and I don't mind using 2FA as much as using password managers because it actually brings in something of value, something other than a "what you know".
Honestly, I don't think this would require such a big change/re-education, but it's hard to tell. Historically, much bigger changes in IT security were implemented with success - like the widespread use of SSL/TLS itself, even though that consists of more than 7 steps as well, and aims to achieve basically the same thing as PAKE, minus the client auth being obligatory (or that can be a plus, depending on how you view it). Instead of an ideal world, I'd say 'alternative'. Hmm. So maybe SRP was all about succeeding HTTP after all...
That said, I wouldn't mind at all if a PAKE initiative started small, with a handful of websites. If they knew what they were doing, of course. That alone wouldn't eliminate the need for password managers and the like, but at least one less password I'd need to regularly check on HaveIBeenPwned. (Okay, that's a lie. I'm never checking them anyway. All talk and no action.)
You know, I'm almost sold on it. I still think it's a bad idea to use it in the browser, but for native apps/games, some of the pros could be really nice (particularly client-side hashing).
ZKPP's
Pros
- You can make sure the server won't mishandle the password.
- You can let the client do the hashing, which helps alleviate server strain. You can set the number of hash iterations to a much higher amount than you'd typical use on a server.
- You've got a secure connection for client/server communication now; this in particular can likely find a revolutionary use-case, perhaps in gaming.
Cons
- Your developers have to learn how to go through the 7+ steps properly, until frameworks for it crop up.
- Less battle-tested: there may be more bugs and exploits in whichever protocol you choose due to how many less eyes are on it.
- Developers may choose a really weak hashing algorithm.
It would be pretty sweet for browsers to have one of the ZKPP's built-in, where the javascript can't touch the user's password or the code for generating the keys & initiating the handshake.
Glad I could get you a bit more interested in this kind of approach. Your summary makes sense to me, though admittedly it is damn hard to reason about the security of these things correctly. Getting the client to do the hard work really is an added bonus, now that you mention.
I think this is an exciting field of research - if in practice little more than a curiosity at this time -, and I expect great results to come out of it in the near future.
What I meant by needing the user to enter a password (whether in a web app or native app) is that the user will still need to use a password manager and 2FA for decent security in the case that their password is compromised elsewhere. And no, you don't have to combine it with bruteforce if someone knows the password you use on an app that utilizes SRP. So it's not lightyears from what we have now. If you have the password, you can log in, whether the server uses OPAQUE or simply checks the hash.
A browser extension is still insecure third-party JS code. I honestly think there's no way to securely implement it for browsers, but it'd work well in native apps.
> Don't rely on someone else's computer for your own security.
Precisely. Use a password manager and assume the server is going to be compromised one day. Assume you might be phished one day, so you shouldn't use the same password for everything. That's the right mindset.
A salted hash is what all ZKPP implementations end up with. You can still figure out the user's password by bruteforcing the password verifier, because it's the hashed result of the ZKP's algorithm. My case in point is that you're achieving the same level of security as HTTPS + salted hash except in 7+ steps, each step leaving room for improper implementation.