re: Web Authentication for Actual Humans, Part Two VIEW POST

FULL DISCUSSION
 

Thank you for the great series, Greg.

I have a question regarding "Something you do".

You might then ask yourself “Then that’s something I am right? I’m a user of that third party” But remember that form of authentication relies on physical things about you that are nigh impossible to impersonate. In addition you might use those things to authenticate with the third party, but the important part of this method is that you use that third party. This is why I consider OAuth to be a form of “Something you do” Authentication.

So is the "do" part associated with "use" in "you might use those things to authenticate with the third party"?

I am still unable to grasp how OAuth is something you "do" not what you "are".

 

That's probably a bit less clear than I intended. Essentially I feel that OAuth is something you do because the thing you do is authenticate with some trusted third party. It's not enough that you're just a user of that third party, you have to actually authenticate with them to prove that you are who you say you are.

 

Ah, I see. Thank you for the clarification there 👊

So you have to "do" some actual work to prove that you are who you say you are.

Right and you're doing it in a third party's application which is where the distinction comes from IMO

code of conduct - report abuse