# I am the Watcher. I am your guide through this vast new twtiverse.
# 
# Usage:
#     https://watcher.sour.is/api/plain/users              View list of users and latest twt date.
#     https://watcher.sour.is/api/plain/twt                View all twts.
#     https://watcher.sour.is/api/plain/mentions?uri=:uri  View all mentions for uri.
#     https://watcher.sour.is/api/plain/conv/:hash         View all twts for a conversation subject.
# 
# Options:
#     uri     Filter to show a specific users twts.
#     offset  Start index for quey.
#     limit   Count of items to return (going back in time).
# 
# twt range = 1 19
# self = https://watcher.sour.is/conv/2xjdywq
abucci
anthony.buc.ci
View Thread
Since Zero Knowledge Password Proofs have existed for awhile why do we need password logins for everything?
eaplmx
twtxt.net
View Thread
@abucci change aversion?

https://usabilitygeek.com/change-aversion-conflicted-user/
abucci
anthony.buc.ci
View Thread
@eaplmx probably something like that. It'd be so much easier *and* more secure though!
eaplmx
twtxt.net
View Thread
@abucci yeah, that would be great for a more secure digital life. Perhaps not easier at the start but easier with time.
Last year I wrote a bit on the subject, trying to put all interests together and aiming for a transition into a passwordless standard... We could start with our services tho

https://text.eapl.mx/promoting-the-use-of-dynamic-passwords
eaplmx
twtxt.net
View Thread
wow, I'm reading it again and it has a lot of spelling errors. Rather than that, I still have those ideas, if anyone here wants to discuss the topic.
eaplmx
twtxt.net
View Thread
ah, I recall I after writing that text implemented a proof of concept for passwordless login on Webauthn/passkeys.io which has worked well for me, I haven't tested with more users so I don't know how well it'll be received.
I guess most mainstream browsers will follow that path.
eaplmx
twtxt.net
View Thread
ah, I recall that after writing that text I implemented a proof of concept for passwordless login on Webauthn/passkeys.io which has worked well for me, I haven't tested with more users so I don't know how well it'll be received.
I guess most mainstream browsers will follow that path.
abucci
anthony.buc.ci
View Thread
@eaplmx I like your write up, thanks for sharing!

I think direct browser support of PAKE would be closest to ideal for me, but I can see that might not work for other people. I wonder if it's possible to make the authentication mechanism flexible enough to support different preferences while still being secure enough 🤔
abucci
anthony.buc.ci
View Thread
@eaplmx One thing I worry about: in the US, law enforcement can take your devices and look through them if you ate suspected of a crime, but they are usually not authorized to force you to reveal information you know, which includes passwords (I think there are more and more exceptions to this now, which is a worrying trend).

That means using a memorized password you don't store on a device is safer against intrusion by law enforcement, who are largely free to take private keys but cannot force you to reveal passwords. Many people don't need to worry so much about that kind of threat, but some do.
abucci
anthony.buc.ci
View Thread
direct browser and web site support of PAKE is what I meant.
abucci
anthony.buc.ci
View Thread
hmm, this is from 2011:

PAKE On The Web

A paper about using PAKE instead of passwords for *mutual* authentication on the web. Included an implementation!
abucci
anthony.buc.ci
View Thread
wow, there are lots of existing deployments of PAKE-based authentication, including in web browser synchronization! Maybe this linked paper (which I haven't read yet) answers it, but what the hell is the holdup deploying something like this all across the web?

SoK: Password-Authenticated Key Exchange -- Theory, Practice, Standardization and Real-World Lessons
abucci
anthony.buc.ci
View Thread
wow, there are lots of existing deployments of PAKE-based authentication, including in web browser synchronization! Maybe this linked paper (which I haven't read yet) answers it,but what the hell is the holdup deploying something like this all across the web?

SoK: Password-Authenticated Key Exchange -- Theory, Practice, Standardization and Real-World Lessons
eaplmx
twtxt.net
View Thread
@abucci yeah, I agree. It should be flexible and the used should choose the best set of advantages and disadvantages.
eaplmx
twtxt.net
View Thread
@abucci here is an updated implemeation
https://blog.cloudflare.com/opaque-oblivious-passwords/

I played with it a bit, and it works
abucci
anthony.buc.ci
View Thread
@eaplmx It's nice, but you still have to type a password! Since the password never leaves the computer, it could be removed from the flow entirely using the built-in password manager of the browser or, ideally to me, hidden from view entirely. Having a master password to open a "vault" of these OPAQUE passwords and then freely logging into web sites without ever dealing with password entry in login forms would be close to ideal for me. It's basically what I already do with my password manager, except significantly less awkward and also less vulnerable.
abucci
anthony.buc.ci
View Thread
@eaplmx It's nice, but in the demo you still have to type a password! Since the password never leaves the computer, it could be removed from the flow entirely using the built-in password manager of the browser or, ideally to me, hidden from view entirely. Having a master password to open a "vault" of these OPAQUE passwords and then freely logging into web sites without ever dealing with password entry in login forms would be close to ideal for me. It's basically what I already do with my password manager, except significantly less awkward and also less vulnerable.
eaplmx
twtxt.net
View Thread
@abucci have you seen https://en.m.wikipedia.org/wiki/SQRL ?
It's too indie and I'd say unknown, but the native plug-ins worked well on mobile and Web browsers. And it's an experience more like you mention.
abucci
anthony.buc.ci
View Thread
@eaplmx I've played with that. My big worry with that one is that I've seen people refer to Steve Gibson as a crackpot, and I have no way to confirm or deny a claim like that. FUD works unfortunately 😦