Unified asking for password experience • KDE Community Forums

This forum has been archived. All content is frozen. Please use KDE Discuss instead.

Board index

Unified asking for password experience

Page 1 of 1 (3 posts)

Tags:

mgraesslin KDE Developer Posts 572 Karma 7 OS	Unified asking for password experience Mon Jul 18, 2016 6:04 am Hi VDG, this is something I discussed already with Thomas, but of course we want more input. I would like to have a unified asking for password experience. The user should know that when the system asks for a password, it's the system asking and not a generic application faking something. When is the system asking for passwords? Polkit KDE Wallet KDEsu/kdesudo (Lock screen) Some of the current problems with it: Password dialogs are not identified by KWin and might get stacked below KWin cannot prevent focus stealing from a password dialog The user cannot recognize that it's the system asking for a password In most cases (except polkit) it's not obvious for the user why the user is being asked for the password Key loggers through X11 possible Key loggers through ptrace possible (some are fixed) The second last item (X11 key loggers) is fixable, but only if we have a unified experience. Random applications trying to "fix it", will destroy user experience. But we can get it right, without having to wait for Wayland.
louis94 Registered Member Posts 99 Karma 1 OS	Re: Unified asking for password experience Mon Jul 18, 2016 10:03 am For reference: viewtopic.php?f=285&t=123259
fabianr Registered Member Posts 42 Karma 0	Re: Unified asking for password experience Tue Jul 19, 2016 10:40 am See also viewtopic.php?f=285&t=123258&start=30 the thread started about secure fullscreen applications, but a lot of points are valid for password dialogs too. That's what I wrote then about password dialogs authentication: How to prevent the user to enter her password into a malicious/fake password dialog. (eg faking a login screen, screen locker, packagekit authorization , ...) To prevent this, any honest password dialog should authenticat itself to the person infront of the pc. Wikipedia lists three categories of authentication: - knowledge: something the user knows - ownership: something the user has - inherence: something the user is Since the system wants to authenticat itself to the person infront of the pc, the system or the password dialog would be the user in this scenario. Knowledge should be the easiest of the categories to implement, at least without some special hardware. So with every password dialog the system needs to authenticate itself to the person infront of the pc with something only the system and the user knows. eg a picture, a 4 diget number, a short sentence - the secret must not be available to other programms (this includes screencapture) - the secret should be easily recognizeable for a human

Page 1 of 1 (3 posts)

Bookmarks

Who is online

Registered users: bartoloni, Bing [Bot], Google [Bot], Sogou [Bot]