So one of my pet peeves is authentication. I absolutely hate having to remember a pile of different passwords. I would love everyone to use openid, but clearly it just isn’t happening. I can live with people using twitter and facebook and similar for auth, although I am rather disinclined to give you the ability to tweet as me so I can use your social cat tagging application (yes, I know about read only. No one is bloody using it), but even this doesn’t seem to get much uptake.
The idea is basically as follows:
- Login is done by dedicated personalised login links. It would be something like http(s)://mysite.com/login/some-big-random-string.
- When you sign up you’re given a page which says “this is your login link. Please bookmark it”
- You also provide your email address, and you can at any point say “I need a new login link. Please email it to me”. It will email you the new link, and the old one will be invalidated as soon as you click on it (it can’t be invalidated before that, because otherwise anyone can invalidate your link).
It should be simple to use – you just bookmark links for your site that are specific to you, which is no worse than storing passwords locally, and it can easily be invalidated by email equivalently to “I forgot my password” links people are familiar with. The security is not really any worse than normal password based authentication (there’s the potential to see it in the URL bar, but you just redirect away from it quickly and make it a long random string, which renders this basically not an issue).
This seem so painfully simple it’s astonishing no one’s doing it if there’s not a major flaw I’m missing.
What do you think?