[Users] Migrating account authentication from basic POP to OAuth2

Jeffrey Walton noloader at gmail.com
Thu Dec 22 12:19:41 UTC 2022 

On Thu, Dec 22, 2022 at 6:43 AM Paul <paul at claws-mail.org> wrote:
> On Wed, 21 Dec 2022 13:46:42 -0500
> Jeffrey Walton <noloader at gmail.com> wrote:
>
> > What the security community found (through years of trial and error,
> > and security usability studies), is that most users are in the group
> > that is labeled as "not in their right mind." You have to design a
> > system that works around the user's bad choices and bad behaviors.
> [...]
>
> Anyway, that is a different thing entirely from the point I was making, which
> is how those pushing oauth2 insinuate that oauth2 is somehow more secure than
> username+password+TLS, by calling them "less secure" etc.

When you model the threats, oauth is a better choice. The problem
oauth solves is the transport of passwords. It does so by replacing
the password with a time limited token. It does so at the expense of
adding a trust relationship.

It does not matter if you use a TLS channel because you are using a
transport scheme in a security model with sharp edges. It would be a
different story if you were using a cipher suite that provides channel
binding. But you are not.

If the password is compromised, then the attacker gets unlimited
access to the account. The attacker may also gain access to other user
accounts.

If the oauth token gets compromised, then the attacker has a small
window of opportunity. At the next execution of the protocol the token
will change. And the attacker cannot use the token at other sites.

In a single execution of the protocol, the password and oauth token
appear to produce the same results because both are authenticators.
But over time with multiple executions of the protocol, the password
and oauth token behave differently.

Mishandling of secrets and the web security model is one of the
reasons the browsers moved to Yubikeys. Browsers regularly mishandle
secrets like passwords because of basic_auth authentication. Yubikeys
produce an origin-based secret, similar to the oauth token. The
Yubikey token is going to change at the next execution of the
protocol. Formerly mishandled secrets no longer matter, just like with
oauth tokens.

> Their aim, perhaps,
> is to keep the blinkers on rather than empower through greater knowledge.
> And, I would say, this does not bode well for the future. In fact, just look
> at the last twenty years and we get a good idea of where this is all heading.

Jeff

More information about the Users mailing list