[OTR-users] new user, comments on authentication

Harlan Iverson h.iverson at gmail.com
Sun Nov 25 18:20:59 EST 2007


Hi,
I am a new OTR user and have shared it with a few of my privacy conscious
friends. Overall, getting it going using Pidgin has been an extremely smooth
experience, but one hiccup has been explaining authentication. The two
people I use OTR with now are 'authenticated', but only in that we have
confirmed each others' keys (advanced > [I Have] ...); when I mentioned
authenticating using some secret that we both know, like the name of a place
that fits some description, they became confused. If privacy conscious
hackers don't understand without reading a lot of documentation, I think
there is a weakness in usability.

For my friends, they just 'knew' at the time that they were talking to me,
so authenticating using a shared secret was not something that they cared to
investigate further. Confirming the key was 'good enough' to make the icon
say "OTR: Private". If authentication were more streamlined and explained in
the GUI (smaller learning curve), chances are we would have used a shared
secret. It may seem like a pebkac issue, but really if the goal is to get
people to take full advantage of OTR it needs to be addressed.

My initial thoughts are to make sort of a wizard that runs each time OTR is
used with an unverified client. Prompt the person initiating the
conversation to enter some text that the other person can derive the shared
secret from, for example "The name of the place we spilled the iced tea all
over the waiter", and the receiver would then be prompted for the shared
secret when they receive the message. For usability sake, I also think it
would also be beneficial to give the option to ignore case/space/punctuation
in the answer (convert secret to lower case, eliminate spaces and
punctuation).

Thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20071125/078f0244/attachment.html>


More information about the OTR-users mailing list