Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • briar briar
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 792
    • Issues 792
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 9
    • Merge requests 9
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • briarbriar
  • briarbriar
  • Issues
  • #257
Closed
Open
Issue created Feb 22, 2016 by Ernir Erlingsson@ernirContributor

Consider offering user validation alternatives

Currently we are only validating users with text strings but text input, on small mobile devices especially, is little fun and for that reason some users might choose comfortability, with a short password, over security. There are several possibilities available to tackle this "problem":

1. Offer more user validation possibilities besides using a password, e.g. use the device's fingerprint sensor

if available. This will only work for one account though, if a user has multiple accounts we will need to offer some way for the user to define which account is using his fingerprint.

2. Define access layers with different security restrictions

This is much more tricky and maybe not desirable at all but I feel there is sufficient discussion merit nonetheless. Currently Briar employs a single access restriction on a per account basis, i.e. you either have access to everything (for the respective account) or nothing depending on your knowledge of the password.

Another approach would be to have multiple access levels, e.g. you enter the app with a four digit pin that gives you access to the app but in order to communicate with extra-secure users (this could be marked when contacts are added) you must first confirm your password on a session basis. Here we would need to make sure that the security restriction on the communication between contacts A and B would be identical, i.e. both parties would be required to confirm the passwords in order to communicate.

Assignee
Assign to
Time tracking