So at Livejournal implemented their own challenge-handshake auth: https://www.livejournal.com/doc/server/ljp.csp.auth.challres.... Unfortunately it require storing plain-text equivalent of password on the server.
Seems to be worked fine through the years, but they used it well past "best before" date.
(SRP - http://srp.stanford.edu/, PAKE - https://en.wikipedia.org/wiki/Password-authenticated_key_agr...)
Good to know
While everyone recommends turning on 2FA everywhere, I’m increasingly convinced we’d all be safer if the password was the second, optional factor.
Yes! Why can I not always login via an emailed token, secured by a TOTP? It would set a cookie, so no different in UX once you’re in, and that’s the normal “forgot password” flow, so no different in terms of security. But it would remove the need for me to constantly be opening up various password generation toolkits and resetting passwords and etc.
I do not see how this works in the context of other humans.
Only way I see this kind of working is if you’re cracking the passwords offline.
For people aware of the breaches problem, like most of us here, it won’t because it’s been a long time since we use twice the same password.
But for everyone else...