Login without password

Want to chit chat about anything, do it here ... posting here won't increase your post count (or shouldn't!). Please do not post any "phpBB" specific topics here unless they do not fit into the category above. Do not post bug reports, feature or support requests!
Forum rules
Please do not post any "phpBB" specific topics here unless they do not fit into the category above.

Do not post bug reports, feature or support requests! No really... Do not post bug reports, feature or support requests! Doing so will make Bertie a very sad bear indeed. :(
Post Reply
User avatar
Kamahl19
Registered User
Posts: 161
Joined: Thu Dec 27, 2007 10:31 am

Login without password

Post by Kamahl19 » Fri May 23, 2014 8:24 pm

I read this article http://notes.xoxco.com/post/27999787765 ... less-login and I thought, I might develop a MOD and an Ext which would allow users to log in only with their email. What do you think about this idea? Do you see any security issues?

User would insert his email and click the login button, then we receive an email with link. He opens the link and it logs him in. He dont have to remember password and noone can steal his password.

User avatar
Louis7777
Registered User
Posts: 378
Joined: Fri Apr 04, 2014 12:32 am

Re: Login without password

Post by Louis7777 » Sat May 24, 2014 1:42 am

"He dont have to remember password and noone can steal his password." -> That is the advantage.

However, the links in e-mails would go through mail servers. On the contrary, when you login at a forum with your username and password, it all happens at that specific forum. Noone else gets your login key (apart from the Internet routers of course). Would you trust the e-mail providers?

Also, the user would have to "insert his email and click the login button", then log in his e-mail account and click a link there. Boring, that is the disadvantage :)

User avatar
Kamahl19
Registered User
Posts: 161
Joined: Thu Dec 27, 2007 10:31 am

Re: Login without password

Post by Kamahl19 » Sat May 24, 2014 10:36 am

Have you read the article? There is definitely something interesting in this idea.

I personally would use it. I have eM Client so I receive emails immediately without login to my email. Whole login takes just few seconds.

NeilUK
Registered User
Posts: 88
Joined: Mon May 01, 2006 7:55 pm
Contact:

Re: Login without password

Post by NeilUK » Sat May 24, 2014 2:23 pm

A better option for me would be to log in with Facebook or Twitter, Google + etc. So if you were already logged into one of those you would just click a button no username password to enter. Much safer than using just email
"Life Is What Happens To You When You Are Busy Making Other Plans" - John Lennon

User avatar
callumacrae
Infrastructure Team
Infrastructure Team
Posts: 1046
Joined: Tue Apr 27, 2010 9:37 am
Location: England
Contact:

Re: Login without password

Post by callumacrae » Sat May 24, 2014 9:42 pm

NeilUK wrote:Much safer than using just email
If someone already has access to your email, you're boned anyway.
Made by developers, for developers!
My blog

User avatar
Kamahl19
Registered User
Posts: 161
Joined: Thu Dec 27, 2007 10:31 am

Re: Login without password

Post by Kamahl19 » Sat May 24, 2014 10:46 pm

Thats true, if somebody gets to your email your online identity is done.. He can request new passwords to all your services and change your passwords everywhere. It does not matter if there is login via email or not.

Oauth login is great but many people dont like it because often you have to give the service permission to access your contact list / info etc.

NeilUK
Registered User
Posts: 88
Joined: Mon May 01, 2006 7:55 pm
Contact:

Re: Login without password

Post by NeilUK » Sun May 25, 2014 12:04 am

callumacrae wrote:
NeilUK wrote:Much safer than using just email
If someone already has access to your email, you're boned anyway.

That's true, which means that to have email as a log in option on a Forum the user would most likely have to create another email account with gmail or some other which again would lose whatever time saving the option gave you anyway. I just don't see the general public out there trusting this option if they saw it on a Forum they were thinking of registering with.
"Life Is What Happens To You When You Are Busy Making Other Plans" - John Lennon

User avatar
jsebean
Registered User
Posts: 165
Joined: Wed Nov 17, 2010 1:40 am
Location: Atlantic Canada

Re: Login without password

Post by jsebean » Sun May 25, 2014 12:59 am

I must admit, I haven't read the article in full, I'll read it in a moment, but the way I understand it is you enter your email (or username that is associated with the email address), an email is them sent with a link. This sounds like a good idea, but I have a couple problems with it. It more easily allows a man in the middle attack you without having to change a "password", making it slightly harder to recognize if someone has compromised you. This however would be a nice method even for two factor authentication. Require a password, but then click a link for high risk websites, like your bank.

Eg. If I can sniff your email and simply enter in your username, then get the link and login. There is no password to change, so less indication that somebody has compromised your account. If I gain access to your email and want to get into your phpBB account, I'd have to do a password reset, so the next time you login, you'd know the password was changed as you'd never be able to get in. Whereas this there is less indication.

Email is not encrypted when sent. Whereas if you visit Area51, it's over https, so when you enter the password, it's encrypted, nobody knows it but you. I suppose it could be possible to setup some sort of PGP support for this login system, and send the login link with PGP, but isn't that a little overkill?

Finally, and this is just a personal preference, I am not a fan of having to go to my email address and "activate" an account, let alone having to go to my email to login every time I want to :shock:. I'm the type of guy who likes how websites like Reddit does it, no email required, no activation link. In fact, I'm so lazy, that I would rather have some sort of SSO support like OpenID or Facebook Connect since I absolutely hate having to register to every site I post on. There are many forums I would post on but registration is just so tedious -- time is money haha.

So that's my take on it, JMHO :roll:

EDIT: One thing that would be cool for lazy people like me if you adopted this method is if you could make a browser extension that could connect to your email account and "click" the link for you, so there would be no need to fire up your Email client or webmail to get the link. All you'd do is enter the email address and that'd be it :P I would love that. Still doesn't protect from sniffing in high risk situations, but PGP could support that, and you could implement a PGP Key reset feature much like the password reset feature and have a security question. :P I'm a bit tin foil hat though, that'd probably be overkill for most people and most websites :lol:
-Jonah

User avatar
Kamahl19
Registered User
Posts: 161
Joined: Thu Dec 27, 2007 10:31 am

Re: Login without password

Post by Kamahl19 » Sun May 25, 2014 1:37 am

Well that is a good point. One would never know somebody hacked his account. However I think, if somebody gets to your email he makes much more mess then just posting something to discussion board from your account.

Passwords are very often sent as plain text to your email and they are not encrypted. Would the pgp be really necessary? I am no expert in this email security field.

NeilUK
Registered User
Posts: 88
Joined: Mon May 01, 2006 7:55 pm
Contact:

Re: Login without password

Post by NeilUK » Sun May 25, 2014 9:44 am

I really think everyone needs to review this idea with the average user in mind, not the person running a Forum but the people they hope to attract. The Forums I have run have had a lot of people involved who were computer literate, the vast majority of people out there don't spend much time on Forums like we do. If I saw a Forum with this email option I wouldn't use it but I would know that the normal log in option would be safe. 80% of internet users out there wouldn't probably just leave , worried it was unsafe.

Remember there are still more people in the world who refuse to shop online or use PayPal for safety fears than people who do, these are the people we need to think about when reviewing this idea. Whether it's actually safe or not is important, but more important is the perception of whether it's safe or not. If that makes sense
"Life Is What Happens To You When You Are Busy Making Other Plans" - John Lennon

Post Reply