ubuntu-phone team mailing list archive

[Rodney Dawes <rodney.dawes@xxxxxxxxxxxxx>]

On Mon, 2014-09-01 at 15:51 -0300, Ricardo Kirkner wrote:
> The main reason we ask for password confirmation during purchases is
> that we want to ensure that the account owner is actually still behind
> the phone and to prevent unlocked phone's abuse (on purchases
> specifically).
> 
> With that in context, and given how other platforms support purchases
> from the phone (thinking about Google and Amazon doing 1-click
> purchases) we could get rid of token refresh in 2 ways
> 
> 1. Use a different token for login and purchases (this would allow the
> user to invalidate each of those independently). The purchase token
> could have a larger TTL (like 99 years :)) than the login token.

This would require either a separate plug-in for online-accounts, or
storing the secondary token in some other, possibly insecure, manner. I
don't think either of those are good solutions. It significantly
increases complexity of the system, and reduces usability by requiring
the user to do the exact same twice, to work around an issue in the
system.

> 2. We could still use the same token, and still require the user to
> authenticate by locking the keyring with an unrelated un simpler
> password maybe (eg, using the phone's unlocking PIN?; this would
> require to do something similar for the dash/desktop though)

I don't think we can do this reasonably well. The lock screen can be set
to require nothing (just swipe), PIN, or a passphrase. The server also
wouldn't (and shouldn't) know what they were, so it's not particularly
reliable, as we could only verify locally, which is not useful if the
phone is already compromised.