%% You should probably cite rfc9588 instead of this I-D. @techreport{ietf-kitten-krb-spake-preauth-09, number = {draft-ietf-kitten-krb-spake-preauth-09}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-ietf-kitten-krb-spake-preauth/09/}, author = {Nathaniel McCallum and Simo Sorce and Robbie Harwood and Greg Hudson}, title = {{SPAKE Pre-Authentication}}, pagetotal = 37, year = 2020, month = jun, day = 10, abstract = {This document defines a new pre-authentication mechanism for the Kerberos protocol that uses a password authenticated key exchange. This document has three goals. First, increase the security of Kerberos pre-authentication exchanges by making offline brute-force attacks infeasible. Second, enable the use of second factor authentication without the need for a separately-established secure channel. This is achieved using the existing trust relationship established by the shared first factor. Third, make Kerberos pre- authentication more resilient against time synchronization errors by removing the need to transfer an encrypted timestamp from the client.}, }