Attacker Motivations and Capabilities
Attacker deceives the user into thinking they are clicking on link in client to a site they have an account with while in fact the attacker controls that destination and it is an active proxy for the site they thought they were going to.
Man On The Side
Attacker can listen in on communications between client and server but does not interfere. For example on open WiFi with non-secure HTTP or if weak security implemented on communications or if attacker can listen in behind a servers SSL boundary device.
Man In The Middle
Attacker can listen in on communications between client and server and may or may not interfere. Required to proxy SSL connections that are end-to-end secure.
Able to impersonate user for a single session
Able to take previously captured credentials and impersonate user but for a limited time.
Able to authenticate as the user at any time in the future.
Denial Of Access
Able to prevent user from gaining access to server on a temporary basis.
Able to authenticate the user to the attackers credentials.
Wants to vandalise users account.
Wants to own account for its status alone, or to leverage that status so make other social gains.
Wants to steal users information for identity impersonation or to sell information onwards.
Wants to directly gain from funds accessible via account.
Best Practice Integration
This section represents the best practice integration or SQRL authentication into traditional HTML authentication.