Login without password

Want to chit chat about anything, do it here ... posting here won't increase your post count (or shouldn't!). Please do not post any "phpBB" specific topics here unless they do not fit into the category above. Do not post bug reports, feature or support requests!
Forum rules
Please do not post any "phpBB" specific topics here unless they do not fit into the category above.

Do not post bug reports, feature or support requests! No really... Do not post bug reports, feature or support requests! Doing so will make Bertie a very sad bear indeed. :(
keith10456
Registered User
Posts: 523
Joined: Sat Apr 22, 2006 10:29 pm
Contact:

Re: Login without password

Post by keith10456 »

-1

I don't want to go to my email in order to login... That's annoying.

I think a better solution would be to allow members to login with their email address and password (as opposed to only email). Visitors that don't login to a site for a while often forget their Username (and password) but most remember their email. The Username could be used for display - as it is now - to hide your email address, real name, etc.


*Edited to clarify (in red)...
Last edited by keith10456 on Mon May 26, 2014 3:47 am, edited 3 times in total.

User avatar
Master_Cylinder
Registered User
Posts: 361
Joined: Wed Jul 31, 2013 9:54 pm

Re: Login without password

Post by Master_Cylinder »

keith10456 wrote:-1

I don't want to go to my email in order to login... That's annoying.

I think a better solution would be to allow members to login with their email address. Visitors that don't login to a site for a while often forget their Username (and password) but most remember their email. The Username could be used for display - as it is now - to hide your email address, real name, etc.
-1 for me too.

If they can't remember their username/password they should use the email address to recover (or contact staff) it not login with it alone.
These kids today...
Buy them books, send them to school and what do they do?

They eat the paste. :lol:

User avatar
brunoais
Registered User
Posts: 964
Joined: Fri Dec 18, 2009 3:55 pm

Re: Login without password

Post by brunoais »

1 Question:
How do you avoid sending spam one-time login keys?

IP and cookies can be spoofed. So those are also out of question as the limiter.
Would it be that the login keys would have a steady expiration date?
Tokens should not last long, otherwise, it's not safe.

Also about spam:
Couldn't a malicious user abuse this and force the server to send multiple e-mails per second and allowing it to be classified as spam by the e-mail providers? Even if they limit the num of emails per hour per user to 1, systems with thousands of registered users are quite common.

That's what came to mind after reading that.

User avatar
Oyabun1
Former Team Member
Posts: 20
Joined: Thu Mar 31, 2011 9:48 am

Re: Login without password

Post by Oyabun1 »

A couple of points.

The article seems to assume people only have one email address. I don't think I know anyone that doesn't have multiple addresses. So, then it becomes a matter of remembering which particular address you used for a particular board. May not be much of an improvement.

You may no longer have access to the email account you used for a particular board, because it was compromised, the service provider no longer exists, or the account had been provided by a educational institution or employer you are no longer associated with, you wouldn't be able to login.

Therefore, it would probably need to be an optional system. Users click a button to choose how they want to login.
Master_Cylinder wrote:If they can't remember their username/password they should use the email address to recover
You can't on a standard board. You need both the username and email address to get a new password sent. If you don't have the username that matches either the email address or password you can not login nor reset the password.

User avatar
Master_Cylinder
Registered User
Posts: 361
Joined: Wed Jul 31, 2013 9:54 pm

Re: Login without password

Post by Master_Cylinder »

I thought we were adding a new password recovery system that only required the email address or the username; maybe I'm thinking of other SW...
These kids today...
Buy them books, send them to school and what do they do?

They eat the paste. :lol:

User avatar
callumacrae
Former Team Member
Posts: 1046
Joined: Tue Apr 27, 2010 9:37 am
Location: England
Contact:

Re: Login without password

Post by callumacrae »

Passwords are Obsolete

I was linked to this article by Troy Hunt, who knows far more about security than you or me do—it's probably not a bad idea.
Made by developers, for developers!
My blog

User avatar
Kamahl19
Registered User
Posts: 161
Joined: Thu Dec 27, 2007 10:31 am

Re: Login without password

Post by Kamahl19 »

I read that one too. Both these articles have a lot of good points and are pretty persuasive. Thats why I asked, if there would be an interest in this Ext or maybe it could be implemented in phpbb3.2 as optional way of logging in. Admin could choose if he wants to use passwords or not.

User avatar
brunoais
Registered User
Posts: 964
Joined: Fri Dec 18, 2009 3:55 pm

Re: Login without password

Post by brunoais »

Unfortunately, it does not approach the downsides :(.
I hope there's a nice article that tackles them because they are as important as the upsides!

Alien_Time
Registered User
Posts: 165
Joined: Fri Apr 05, 2013 3:38 am

Re: Login without password

Post by Alien_Time »

Yeah... the idea seems not too bad although I wouldnt use that method since it just creates an extra loop for users to login since they need to go back and forth from my website to their email address and back to my site to login. This can be a pain for some especially if they are browsing from public pcs where they arent logged into their email account on another tab. Also another reason why I wont use this because some email servers (especially Microsoft servers like Hotmail, Outlook, etc..) are very picky and filter a lot of websites as spam for no good reason. This happened to my site itself which doesnt have any bad reputation at all, no problems with any other email servers, neither do I spam nor is my site new. So I always have to add a note to users that they need to check for our email in their spam folder and unmark it as spam if they dont see it in their inbox. So keeping this in mind, having the login activation code sent to email address would end up having more problems than simplifying the login process since it relies on the email delivery success which itself isn't a guarantee.

However what I may like with this extension would be to use it as an add-on. Meaning, leaving the current login the way it is and users who prefer to use passwordless login can enable this extension from their UCP. It is always good to give more features to users in the end if its going to make their life easier. Since its a matter of preference, there should be an option for users to choose which method of login they want to use.

User avatar
Master_Cylinder
Registered User
Posts: 361
Joined: Wed Jul 31, 2013 9:54 pm

Re: Login without password

Post by Master_Cylinder »

I'd never give my cell phone number to a random website/forum to use instead of a password. Spam via email is bad enough without the spammers knowing how to text or call me too. I wish we didn't even need to use email addresses because I don't want to be contacted by email (nor cell phone) for those things either. I'd take passwords over sms/email but maybe as a 2 factor auth extension/option for admins/users that prefer it or something.
These kids today...
Buy them books, send them to school and what do they do?

They eat the paste. :lol:

Post Reply