An interesting idea for authentication

So one of my pet peeves is authentication. I absolutely hate having to remember a pile of different passwords. I would love everyone to use openid, but clearly it just isn’t happening. I can live with people using twitter and facebook and similar for auth, although I am rather disinclined to give you the ability to tweet as me so I can use your social cat tagging application (yes, I know about read only. No one is bloody using it), but even this doesn’t seem to get much uptake.

Mike and I were talking earlier, and we had an interesting idea. After talking it over with a few friends (Andy Bennett and Alaric Snell-Pym) we refined the idea a bit.

The idea is basically as follows:

  1. Login is done by dedicated personalised login links. It would be something like http(s)://mysite.com/login/some-big-random-string.
  2. When you sign up you’re given a page which says “this is your login link. Please bookmark it”
  3. You also provide your email address, and you can at any point say “I need a new login link. Please email it to me”. It will email you the new link, and the old one will be invalidated as soon as you click on it (it can’t be invalidated before that, because otherwise anyone can invalidate your link).

It should be simple to use – you just bookmark links for your site that are specific to you, which is no worse than storing passwords locally, and it can easily be invalidated by email equivalently to “I forgot my password” links people are familiar with. The security is not really any worse than normal password based authentication (there’s the potential to see it in the URL bar, but you just redirect away from it quickly and make it a long random string, which renders this basically not an issue).

This seem so painfully simple it’s astonishing no one’s doing it if there’s not a major flaw I’m missing.

What do you think?

This entry was posted in Uncategorized on by .

21 thoughts on “An interesting idea for authentication

  1. James

    If I am not at my normal computer, I have to request a new login string, which invalidates the old one I have bookmarked. Then when I get back to my normal computer I have to request a new one again, and re-bookmark it. If I have a computer at work, and one at home, I have to keep them both up to date. If I go away and have it reset, then that’s now two bookmarks I need to update. -1 productivity point.

    1. david Post author

      Or you check your email on the new computer, where it’s sent you the previous link, and follow that link.

      Alternatively the “send me a reminder email” and “invalidate this link and send me the new one” links could be separate.

  2. Johannes Rudolph

    It might be a psychological problem: In most cases URLs are thought to be public. (Counter-example: Java Servlet generated jsessionid or other session-as-request-parameter schemes). People are used to sending URLs around without having to think much about, while they wouldn’t do that with their usual credentials. You would have to establish the notion of secret URL you mustn’t send around. It might be difficult to convince people that a random number, in fact, represents their identity. You could probably improve this by including some “personalized” bits in the URL, which reminds people that this actually is a secret.

    That aside, I think it’s a nice way to establish authentication, and I’m pretty sure some systems are using it right now. (I’ve done it for a hobby project)

  3. James Dunne

    I actually think it’s a great idea and I’ll definitely use it in the project I’m going to build. I was actually going to just remove any kind of authentication whatsoever but this offers very good middle ground.

    Kudos.

    1. david Post author

      That was actually the context mike and I came up with it in: He was writing something completely unauthenticated which only required an email address, and through some creative misunderstanding on my part and discussion we came up with this.

  4. Anon

    As an alternative to “remembering” all those passwords, you could just get and use a copy of Password Gorilla ( http://github.com/zdia/gorilla/wiki ). Then you don’t have to remember the passwords, your Gorilla helper does that for you. You just have to remember the one, good, password that you use to unlock the Gorilla.

  5. anon

    This is a complete fail for several reasons:

    1) If you utilize a shared computer in any form (family machine, public machine) then anyone else using that same system can simply look in your bookmarks or look in your browser history (if you forget to clear the browser history) and they have your login credentials.

    2) Url’s are often visible in server/proxy/cache logs. So any proxy or cache between you and the “secure” website now has a log of your “credentials” as well. Yes, you could argue that a malicious proxy / cache could also log your id/password, but that requires malicious intent. Proxy’s and cache’s often log url’s by default for debugging / troubleshooting purposes.

    1. david Post author

      One option for solving both problems is to make the bookmarked URLs use auth as the delivery mechanism. So instead of http://mysite.com/login/blah it’s http://blah:[email protected]/login . Neither caches nor history will save the password.

      1. anon

        That still fails, because while it may solve the proxy/cache problem, it does not solve the storage in the bookmarks file problem. Your reasoning for why this is better is that you get to bookmark the unique url and then not need to enter/remember a password/userid. But by bookmarking the url, you are storing the url in your local bookmarks file. Anyone with any form of access to your bookmarks file (either by using the same browser on a shared machine or by being able to snoop the file on disk) now has access to your login credentials.

      2. david Post author

        In exactly the same way that if you save the password locally then anyone with access to the computer has access to it. If you don’t want to store it locally, it’s in your email, you can store it privately in delicious, and I’m sure there are plenty of other options too.

        If you are absolutely averse to storing it anywhere that might possibly be snooped, and consider storing passwords in your email to be insecure, then sure, this probably isn’t for you. But that’s hardly the same as “failing”, and I hope you never give your email away to sites because if so then those sites are probably no more secure than your email anyway.

      3. anon

        Spoken like someone who’s never used a password manager. Go get yourself a copy of Password Gorilla and try it out. It will be an eye opening and liberating experience for you. You never have to remember any password beyond the one to unlock your Gorilla password file anymore, yet always have every password available to use for each site. Plus you can start using unique passwords with each new site. If you’ve never tried it, you simply have no basis for comparison, and absolutely no idea what you are missing.

        As for Gorilla storing the passwords locally, yes, in an encrypted file that unless you have the master password you can’t open. So even if someone snoops your Gorilla storage file, they have nothing but an encrypted blob to play with.

        The reason why it is still a “fail” is that it relies too heavily on an end user understanding that they have to “protect” this special URL from being revealed, which is unlikely to be a concept that the unwashed masses will correctly understand. That and they have been conditioned for years to “send the URL to their friends” and so they will merrily email all 500 of their “followers” their “secret” url, and suddenly, everyone else has access to this site as them.

        At least with an id/password they have been conditioned to “do not reveal this to others”. Yes, they often still fail by using the same id/password everywhere, but at least they have to do something that goes against their conditioning to reveal the id/password.

      4. david Post author

        I’m sorry, you’re complaining about the unusability of my suggested system on a public computer and then suggesting that I’m proposing it because I don’t know how to use a system that doesn’t share data between multiple computers?

  6. anon

    Need I remind you of your first two sentences: “So one of my pet peeves is authentication. I absolutely hate having to remember a pile of different passwords.”

    Your complaint is that you don’t like to remember a pile of different passwords.

    Your solution to not remembering a pile of different passwords is, in effect, a “security by obscurity” (http://en.wikipedia.org/wiki/Security_through_obscurity) system. You are proposing its use for allowing public members to “log into” a server of some sort: “It should be simple to use you just bookmark links for your site that are specific to you,”.

    But because your system is security by obscurity, it is vulnerable to multiple exploits, many of which can occur simply because members of the public may likey not realize that all they have is security by obscurity.

    The alternate proposal mitigates your first complaint (the need to remember a pile of passwords) and also mitigates the security vulnerabilities of your solution (the locally stored passwords are encrypted until utilized, and you only have to remember one strong password).

    Then you state in a reply: “In exactly the same way that if you save the password locally then anyone with access to the computer has access to it.”, which on its face looks to be a statement that would only be made by someone who was storing their passwords in a plain text file, unencrypted, on their local disk. I.e., if the “locally [saved password” is accessible to “anyone with access to the computer” then by definition the locally saved password must be unencrypted.

    One logical conclusion to be drawn from this is that anyone who saves passwords locally in an unencrypted text file has never utilized a proper password manager that stores, encrypts, and allows easy use of their multitude of passwords.

    Combine that conclusion with your complaint in the first two sentences, that of needing to remember a pile of passwords, and one can logically conclude that you yourself have never utilized a proper password manager. Because had you ever utilized a proper password manager, you would not have had your first complaint in the first two sentences that led you to your security through obscurity solution for not needing to remember a pile of passwords.

  7. Arun Avanathan

    It is a cool idea for less sensitive pages with a lighter auth system. Otherwise, it is as good as sending passwords as url query parameters. If it is a public computer, even though you are not bookmarking it, others can see this url from browser history. Of course you can deactivate or reset, but until then or if you do not realise it others can easily get into your credentials.

    Thanks for sharing this.

  8. ianam

    If we were starting from the beginning and this was being proposed as the general solution to secure login everywhere, then it might be interesting to discuss its relative merits (which aren’t so great, as others have noted above). But, as it is, every other app uses passwords and tools such as password generators and loggers have been developed for that usage — tools that this approach is not compatible with, making it a non-starter.

Comments are closed.