Let's say I wanted to cryptographically associate two unrelated things like a SSN and a Phone # to a single person's email such that knowledge of either the SSN or Phone # leads to a 2FA access granted type of situation through the email. Would it make sense to concatenate the email and entity then use SHA3 to create a hash?
H(A || B)
f... — 9:45 AM
That could work, if I understand you correctly and "entity" would either be SSN or phone number, but I would warn you against doing so, as there are numerous data breaches and simply freely available data which associate phone number and email
[9:46 AM]
If you combine clicking on a link in a verification email and requiring knowledge of one of those details, then it would be fine (edited)
W... — 9:48 AM
I figured the might 2FA would compensate for that in a local development scenario. Sweet man at least I wasn't too far off with my morning coffee run thought.
Conrad "luscious locks" Ludgate
RUST
— 9:50 AM
at the very least, you would need a better encoding - length prefixes likely
1
[9:50 AM]
additionally, definitely add a salt and definitely add multiple hash rounds. SSN and phone numbers are low entropy
f... — 9:51 AM
Also, I think using a password hash function might be a better idea than SHA3 because phone numbers can be a bit low entropy (esp. if you factor in that extwitter simply shows you the last two digits of associated phone numbers, plus the first few are very easy to guess)
Let's say I wanted to cryptographically associate two unrelated things like a SSN and a Phone # to a single person's email such that knowledge of either the SSN or Phone # leads to a 2FA access granted type of situation through the email. Would it make sense to concatenate the email and entity then use SHA3 to create a hash?
H(A || B)
f... — 9:45 AM
That could work, if I understand you correctly and "entity" would either be SSN or phone number, but I would warn you against doing so, as there are numerous data breaches and simply freely available data which associate phone number and email
[9:46 AM]
If you combine clicking on a link in a verification email and requiring knowledge of one of those details, then it would be fine (edited)
W... — 9:48 AM
I figured the might 2FA would compensate for that in a local development scenario. Sweet man at least I wasn't too far off with my morning coffee run thought.
Conrad "luscious locks" Ludgate
RUST
— 9:50 AM
at the very least, you would need a better encoding - length prefixes likely
1
[9:50 AM]
additionally, definitely add a salt and definitely add multiple hash rounds. SSN and phone numbers are low entropy
f... — 9:51 AM
Also, I think using a password hash function might be a better idea than SHA3 because phone numbers can be a bit low entropy (esp. if you factor in that extwitter simply shows you the last two digits of associated phone numbers, plus the first few are very easy to guess)