"Trust on first use" - TOFU

TOFU is used as an authentication scheme, where the sender assumes the first recipient to react to be the legitimate one and that potential attacks would only happen afterwards (comparably risky security policy!!)

As a variant, the recipient has to confirm the possession of a mobile device through an sms verification-code for a first time to receive messages with TOFU-Status – that number will be logged. In case of abuse, this number represents a better chance to “ex post” find the culprit than if only an eMail address were known.

 

Fore more information see: Trust on first use on Wikipedia https://en.wikipedia.org/wiki/Trust_on_first_use

 

 

Sending Message as TOFU

As a sender, you can achieve “simple TOFU” by sending with the following subject tags:

   “<muc:nomuc><mustRegister>

For the described better odds at “forensics” with SMS confirmation, you can simply add the following tag to the subject

   “<tofuSms>

Receiving Message as TOFU

If your email-address is already registered on the PrivaSphere-platform, you will find a link in your received mail on where you will be redirected to a login-form where you can authenticate yourself with a password and your mobile-number.

 

 

 

If your email-address is not registered on the PrivaSphere-platform, you will find a link in your received mail that redirects to a register-form. on the first page have to choose a password and after you agree to our Terms of Service on the second page you can enter your user-data with a mobile-number.

 

 

 

 

After confirm your inputs you will get to the tofu-authentication-page and at the same time you will receive a 6 characters long code to this mobile-number which you have to enter on this page.

 

 

 

1

Input-field for your received code

2

After 2 wrong attempts or 30 seconds you can resend yourself a new code

3

Check if you want to use your entered phone-number as phone-number for password-recovery

4

Confirm the authentication with TOFU

 

When your code is valid and confirmed you will be either redirected to the inbox on the PrivaSphere platform where you can read your received-message.