Skip to main content

HTTP Origin-Bound Authentication (HOBA)

Document Type Replaced Internet-Draft (candidate for httpauth WG)
Expired & archived
Authors Stephen Farrell , Paul E. Hoffman , Michael Thomas
Last updated 2013-05-14 (Latest revision 2012-10-05)
Replaced by draft-ietf-httpauth-hoba
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Additional resources Mailing list discussion
Stream WG state Call For Adoption By WG Issued
Document shepherd (None)
IESG IESG state Replaced by draft-ietf-httpauth-hoba
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


HTTP Origin-Bound Authentication (HOBA) is a design for an HTTP authentication method with credentials that are not vulnerable to phishing attacks, and that does not require a server-side password database. The design can also be used in Javascript-based authentication embedded in HTML. HOBA is an alternative to HTTP authentication schemes that require passwords with all the negative attributes that come with password-based systems. HOBA can be integrated with account management and other applications running over HTTP and supports portability, so a user can associate more than one device or origin-bound key with the same service. We also describe a way in which the HOBA design can be used from a Javascript web client. When deployed, HOBA will be a drop-in replacement for password-based HTTP authentication or JavaScript authentication.


Stephen Farrell
Paul E. Hoffman
Michael Thomas

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)