This idea is based on the standard password recovery scenario for web sites. It’s also expanding on a hint given about this by Lorrie Cranor in her keynote at www2005. Most username password authetication systems on web sites just end up with me having to ask for my password to be emailed back to me every time anyway – so why not automate that process.
How about replacing the standard username password login/authentication setup with the following.
1. When I register with a service I register my email address and confirm this in the usual way. Whenever I have to authenticate myself to a server, my browser sends my email address.
2. The server sends an email to my email account with a URL containing some credentials.
3. My email client reads the email automatically and redirects the OS to open up the page I wanted to access, including the authentication credentials. The server checks the credentials against the email address and the email it sent me to see if they match (Only someone who has my email password can know the secret – or someone who has intercepted our communication).
From the user’s point of view, it means no more remembering passwords and basically seamless access.
Problems and responses ():
1. Delay in receiving the email. (mostly only 1 min maximum)
2. The email is plaintext and insecure. (That’s the case in the standard password recovery scenario. I considered sending a public key along with the email address so that the server’s email can be encrypted – and then encrypting the response with the server’s public key. But then I thought that this is equivalent to a plugin which asks the user to sign a credential with his PGP key and then checks against a registered public key. This is nothing new and has well-known problems (Public Key Infrastructure etc….) It’s a possible extension but it should be born in mind that it’s adding more security than we are use normally.
3. You need a plugin in both the email client and the browser and they have to be able to talk to each other. (No problem for standard setups)
4. It’s only as secure as the person’s email un and password (but most web logins don’t require anything more anyway).