On Sun, Nov 30, 2014 at 2:58 PM, Alfie John <[1]alfiej@fastmail.fm>
   wrote:

     I think a better solution would be something like implementing
     Digest
     Authentication (RFC 2069, but replacing MD5 with something like
     AES-256
     and allow it to be upgradable) in the browser. The password field
     value
     would then be replaced with the value from the DA call and no
     secrets
     would be leaked. This solution would get way faster adoption.

   There's also the FIDO Alliance's Universal Authentication Factor:
   [2]http://fidoalliance.org/specs/fido-uaf-overview-v1.0-rd-20140209.pdf

   --
   Tony Arcieri

References

   1. mailto:alfiej@fastmail.fm
   2. http://fidoalliance.org/specs/fido-uaf-overview-v1.0-rd-20140209.pdf