Nice write-up of it, though I disagree that you can (or should) "recover" from a database breach in that way. If you detect a database breach, it's likely considerably after the event, and you should enforce password changes (and TOTP resyncs).<p>Also, there's no mention of Channel Binding, which adds considerable protection to MITM attacks aimed at obtaining the ClientProof off the wire.