I'd like to use a V4 UUID / GUID for authenticating users. To be specific, the user would have to paste the UUID into a text field to gain access to their account. The UUID would be given to them at the time of registration. The UUID would be combined with a username (public) when authing.
Assume normal security practices are in place (SSL, DB holding the UUIDs is encrypted at rest, guards against brute force attacks, UUID would not be passed in a URL, etc). Assume that the application isn't for anything extremely important (banking) but is still fairly important (pretend it is domain names, for the sake of argument). Don't worry about the usability issues that the user might have. I'm just concerned about security.
- Given the above, is this still a bad idea?
- Do you think this is less secure than username / pass?
- Would slamming two UUIDs together be more secure?
My goal here is to not be storing personal data of any kind (email / pass). My hope is that this is a viable alternative.