

Forget Passwords.Use JAR - moujan
https://www.kickstarter.com/projects/itisonyou/forget-passwords-use-jar

======
nly
> We sign the request from service providers like Kickstarter by
> authenticating trustworthy partners with unique certificates, to make sure
> that not the fraudulent website "Kikkstarter" requests John's data

> If the signature of Kickstarter's request is valid

So how exactly does the JAR learn Kickstarters public key? Is this based on
PKI or pinning/caching? Where's the trust anchor here?

Also it's not clear without a protocol specification whether this provides
complete mutual authentication of ephemeral sessions (otherwise active
MITM/spoofing is still going to be possible). Several round-trips to the
server will typically be required to guarantee this.

> If you lose your JAR, you can call us or go online to deactivate it.

So the company behind JAR can deactivate my device. And if they go bankrupt?
What if they get hacked? How do I authenticate myself on their website to
deactivate my JAR. I can't use my JAR because, well, I've lost my JAR. So do I
use a password?

What makes this better than Clef[0], which is a free app and based on a
similar rudimentary RSA-signed challenge-response protocol?

> If you purchase a JAR, we store your personal information on our server

Why?

> The customer target price is €99.

You really think people are going to pay this much when many new devices are
already shipping with fingerprint readers built-in? Where's your business
model if every laptop and every phone is shipping with a fingerprint reader in
5 years time? And are you aware the next series of Intel CPUs contain built-in
OTP (one-time password) code generation specifically for two factor
authentication? These won't even need browser plugins or peripherals because
the technology will be accessible to software directly.

[0] [https://getclef.com/](https://getclef.com/)

------
l00remipsum
This is great!

