After the first identifier has been scanned, the client will display a shield symbol for messages from authenticated endpoints, and red background for others.
In Signal the endpoints initially blindly trust the identifier and display non-blocking warnings when it changes.
[citation needed] The single largest strength of any TOFU-style model is that a human being must initially validate every interaction.
The TOFU aspect of this application forces a sysadmin (or other trusted user) to validate the remote server's identity upon first connection.
The largest weakness of TOFU that requires manual verification is its inability to scale for large groups or computer networks.
The maintenance overhead of keeping track of identifiers for every endpoint can quickly scale beyond the capabilities of the users.
Out-of-sight identifier verification mechanisms reduce the likelihood that secure authentication practices are discovered and adopted by the users.
The first known formal use of the term TOFU or TUFU was by CMU researchers Dan Wendlandt, David Andersen, and Adrian Perrig in their research paper "Perspectives: Improving SSH-Style Host Authentication With Multi-Path Probing" published in 2008 at the Usenix Annual Technical Conference.
[5] Moxie Marlinspike mentioned Perspectives and the term TOFU the DEF CON 18 proceedings, with reference to comments made by Dan Kaminsky, during the panel discussion "An Open Letter, A Call to Action".
The topics of trust, validation, non-repudiation are fundamental to all work in the field of cryptography and digital security.