%% You should probably cite rfc7486 instead of this I-D.
@techreport{ietf-httpauth-hoba-00,
    number =    {draft-ietf-httpauth-hoba-00},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-ietf-httpauth-hoba/00/},
    author =    {Stephen Farrell and Paul E. Hoffman and Michael Thomas},
    title =     {{HTTP Origin-Bound Authentication (HOBA)}},
    pagetotal = 23,
    year =      2013,
    month =     may,
    day =       14,
    abstract =  {HTTP Origin-Bound Authentication (HOBA) is a design for an HTTP authentication method with credentials that are not vulnerable to phishing attacks, and that does not require a server-side password database. The design can also be used in Javascript-based authentication embedded in HTML. HOBA is an alternative to HTTP authentication schemes that require passwords with all the negative attributes that come with password-based systems. HOBA can be integrated with account management and other applications running over HTTP and supports portability, so a user can associate more than one device or origin-bound key with the same service. We also describe a way in which the HOBA design can be used from a Javascript web client. When deployed, HOBA will be a drop-in replacement for password-based HTTP authentication or JavaScript authentication.},
}