> Numerous participants in our survey indicated a preference for not being required to use a smartphone, hardware token, or browser extension. We thus aim to allow users to use either a smartphone or a browser extension, based on their preference, expanding on our original design that focused exclusively on a smartphone. We also note that a browser could directly implement our system, avoiding the need for an extension.
I'm glad they captured this design requirement. There is a real danger that future global auth systems will move towards a root of trust which is even more oligarchic than the Web PKI model of certificate authorities, namely the FIDO Alliance device attestation/revocation system, or relying on the TPM systems of a few OS/CPU manufacturers.
They talk about a revised model in the paper. Having implemented c-ssl systems at many, many companies it can be difficult to manage. Cool concept though!
The "we're going to have a decentralized system someday but right now it's totally centralized" line is usually heard from the cryptocurrency community. It's discouraging to hear it from the cryptographic security community.
I'm glad they captured this design requirement. There is a real danger that future global auth systems will move towards a root of trust which is even more oligarchic than the Web PKI model of certificate authorities, namely the FIDO Alliance device attestation/revocation system, or relying on the TPM systems of a few OS/CPU manufacturers.