[OTR-users] new user, comments on authentication

Chad Perrin perrin at apotheon.com
Mon Nov 26 18:49:52 EST 2007


On Mon, Nov 26, 2007 at 06:38:32PM -0500, Ian Goldberg wrote:
> On Mon, Nov 26, 2007 at 04:11:50PM +0100, Michael Reichenbach wrote:
> > I did like the old way to authenticate. Go to plugin`s preferences and 
> > check each others fingerprint, that way it`s really secure.
> > 
> > The new "secret" is quite confusing, yes. A "password" would make more 
> > point, but however, I find it best to check the fingerprint.
> 
> But most people have no clue what a fingerprint is.  They have *some*
> clue what a secret is.  So I think we're better off.
> 
> That said, we're working on an actual user study of OTR right now.

Well . . . this user was pleasantly surprised by the inclusion of the
"shared secret" functionality.  I've only used it with one person thus
far, but that made it a lot easier to authenticate with someone more than
1500 miles away than to contact him by telephone and use military
phonetic alphabet to verify "fingerprints".  We briefly discussed the
idea of a shared secret, he said something about a fact nobody else would
have known, and boom -- we were authenticated.

If there's a "better" way to explain it so people more intuitively grasp
the concept, that's great.  Go for it.  I didn't have any touble with it
at all, and neither did my friend.  For the sake of not wanting to screw
up, we just agreed to a particular letter case scheme, assuming it was
case sensitive.  No confusion.

It's just one data point, but as far as I'm concerned it works.

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
Amazon.com interview candidate: "When C++ is your hammer, everything starts
to look like your thumb."



More information about the OTR-users mailing list