pow icon indicating copy to clipboard operation
pow copied to clipboard

Published 20 hours ago verified publisher icon pow-auth

NIST recommendations

Open danschultzer opened this issue 5 years ago • 0 comments
trafficstars

I want to dive more into the NIST 800 63b recommendations to update docs and defaults in Pow. Of particular interest:

  • Recommendation for Ballon hashing 5.1.1.2
    • I prefer Argon2 a lot more than Pbkdf2, but maybe Balloon could be a good default? Bcrypt is recommended by OWASP.
  • Out-of-Band devices 5.1.3
    • E-mail is not an out-of-band device, and insecure to use. I would like to dive more into password reset and invitation, and maybe more over to a less email centric approach, e.g. have a notifier module that MAY be email but also could be push notifications, etc.
  • Lost password handling 6.1.2.3

There's more, but I'm pretty busy these weeks so I'll update this issue later on as I have more time to dive into it and think about what's appropriate for Pow.

I also want to think more about memorized secrets and how moving over to a more general authentication approach could make it easier with WebAuthn (#6) or passwordless auth approach.

danschultzer avatar Apr 05 '20 17:04 danschultzer