19

In an answer to this question about pw reset, D.W. says:

Lastly, consider non-password authentication. Passwords have many problems as an authentication mechanism, and you might consider other methods of authenticating users, such as storing a secure persistent cookie on their machine with an unguessable secret to authenticate them. This way, there is no password to forget and no way for the user to be phished, though you do need to provide a way for a user to authorize access from a new machine or a new browser (possibly via email to the user's pre-registered email address).

How does one do that? How safe and user friendly is this solution? What are the key drawbacks?

Community
  • 1
JDelage
  • 293
  • 2
  • 6
  • there is also one new in this list innovation of google and motorola. It is Motorola password Pill, I really loved their idea and egrly waiting for it. I find some details on it here http://motorolapill.com –  Dec 29 '13 at 12:17

4 Answers4

8

In almost any case where you click on "remember me", this is already happening on your computer. A random string of characters is stored in a cookie and linked to your account. The reason why more than this is required has to do with mobility. If you change computers, how do you log back in without the standard username / password? Users simply don't take their cookies with them.

In the case of the email suggestion, you could send a random code that can be entered into a form field, or even clicked as a link. For some marginal level of increased security, I would expire those click links after a time and store a different random code as the cookie.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
6

There are three ways to authenticate an identity: based on what he has (phone, a device), or what he knows (a password, a story), or, what he is (his fingerprint, palm scan). The last is unusable in a remote context.

Therefore, your question is about using an alternative to what you know. That is to say, to use what you have (usually time-limited). This typically involves tokens, or one time password.

Check out some of these: http://www.duosecurity.com/, http://code.google.com/p/google-authenticator/, and http://www.wikidsystems.com/.

They are as safe as having a phone (and losing it). It is quite friendly.

Nam Nguyen
  • 1,450
  • 12
  • 14
6

You might find this academic paper of interest: Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication . The paper describes one way to use secure persistent cookies for authentication and to enable people to register a new machine using an email link. It's by no means the only way -- it is just one example, and there are probably many other possible ways of doing something along these lines.

D.W.
  • 98,420
  • 30
  • 267
  • 572
0

I have met a good enough and simple authentication process of this service. It uses number of your mobile to send one time password via SMS.

garik
  • 1,222
  • 15
  • 24