-1
I don't want to go to my email in order to login... That's annoying.
I think a better solution would be to allow members to login with their email address and password (as opposed to only email). Visitors that don't login to a site for a while often forget their Username (and password) but most remember their email. The Username could be used for display - as it is now - to hide your email address, real name, etc.
*Edited to clarify (in red)...
Login without password
Forum rules
Please do not post any "phpBB" specific topics here unless they do not fit into the category above.
Do not post bug reports, feature or support requests! No really... Do not post bug reports, feature or support requests! Doing so will make Bertie a very sad bear indeed. :(
Please do not post any "phpBB" specific topics here unless they do not fit into the category above.
Do not post bug reports, feature or support requests! No really... Do not post bug reports, feature or support requests! Doing so will make Bertie a very sad bear indeed. :(
-
- Registered User
- Posts: 523
- Joined: Sat Apr 22, 2006 10:29 pm
- Contact:
Re: Login without password
Last edited by keith10456 on Mon May 26, 2014 3:47 am, edited 3 times in total.
- Master_Cylinder
- Registered User
- Posts: 361
- Joined: Wed Jul 31, 2013 9:54 pm
Re: Login without password
-1 for me too.keith10456 wrote:-1
I don't want to go to my email in order to login... That's annoying.
I think a better solution would be to allow members to login with their email address. Visitors that don't login to a site for a while often forget their Username (and password) but most remember their email. The Username could be used for display - as it is now - to hide your email address, real name, etc.
If they can't remember their username/password they should use the email address to recover (or contact staff) it not login with it alone.
These kids today...
Buy them books, send them to school and what do they do?
They eat the paste.
Buy them books, send them to school and what do they do?
They eat the paste.
Re: Login without password
1 Question:
How do you avoid sending spam one-time login keys?
IP and cookies can be spoofed. So those are also out of question as the limiter.
Would it be that the login keys would have a steady expiration date?
Tokens should not last long, otherwise, it's not safe.
Also about spam:
Couldn't a malicious user abuse this and force the server to send multiple e-mails per second and allowing it to be classified as spam by the e-mail providers? Even if they limit the num of emails per hour per user to 1, systems with thousands of registered users are quite common.
That's what came to mind after reading that.
How do you avoid sending spam one-time login keys?
IP and cookies can be spoofed. So those are also out of question as the limiter.
Would it be that the login keys would have a steady expiration date?
Tokens should not last long, otherwise, it's not safe.
Also about spam:
Couldn't a malicious user abuse this and force the server to send multiple e-mails per second and allowing it to be classified as spam by the e-mail providers? Even if they limit the num of emails per hour per user to 1, systems with thousands of registered users are quite common.
That's what came to mind after reading that.
Re: Login without password
A couple of points.
The article seems to assume people only have one email address. I don't think I know anyone that doesn't have multiple addresses. So, then it becomes a matter of remembering which particular address you used for a particular board. May not be much of an improvement.
You may no longer have access to the email account you used for a particular board, because it was compromised, the service provider no longer exists, or the account had been provided by a educational institution or employer you are no longer associated with, you wouldn't be able to login.
Therefore, it would probably need to be an optional system. Users click a button to choose how they want to login.
The article seems to assume people only have one email address. I don't think I know anyone that doesn't have multiple addresses. So, then it becomes a matter of remembering which particular address you used for a particular board. May not be much of an improvement.
You may no longer have access to the email account you used for a particular board, because it was compromised, the service provider no longer exists, or the account had been provided by a educational institution or employer you are no longer associated with, you wouldn't be able to login.
Therefore, it would probably need to be an optional system. Users click a button to choose how they want to login.
You can't on a standard board. You need both the username and email address to get a new password sent. If you don't have the username that matches either the email address or password you can not login nor reset the password.Master_Cylinder wrote:If they can't remember their username/password they should use the email address to recover
- Master_Cylinder
- Registered User
- Posts: 361
- Joined: Wed Jul 31, 2013 9:54 pm
Re: Login without password
I thought we were adding a new password recovery system that only required the email address or the username; maybe I'm thinking of other SW...
These kids today...
Buy them books, send them to school and what do they do?
They eat the paste.
Buy them books, send them to school and what do they do?
They eat the paste.
- callumacrae
- Former Team Member
- Posts: 1046
- Joined: Tue Apr 27, 2010 9:37 am
- Location: England
- Contact:
Re: Login without password
Passwords are Obsolete
I was linked to this article by Troy Hunt, who knows far more about security than you or me do—it's probably not a bad idea.
I was linked to this article by Troy Hunt, who knows far more about security than you or me do—it's probably not a bad idea.
Re: Login without password
I read that one too. Both these articles have a lot of good points and are pretty persuasive. Thats why I asked, if there would be an interest in this Ext or maybe it could be implemented in phpbb3.2 as optional way of logging in. Admin could choose if he wants to use passwords or not.
Re: Login without password
Unfortunately, it does not approach the downsides
.
I hope there's a nice article that tackles them because they are as important as the upsides!
I hope there's a nice article that tackles them because they are as important as the upsides!
-
- Registered User
- Posts: 165
- Joined: Fri Apr 05, 2013 3:38 am
Re: Login without password
Yeah... the idea seems not too bad although I wouldnt use that method since it just creates an extra loop for users to login since they need to go back and forth from my website to their email address and back to my site to login. This can be a pain for some especially if they are browsing from public pcs where they arent logged into their email account on another tab. Also another reason why I wont use this because some email servers (especially Microsoft servers like Hotmail, Outlook, etc..) are very picky and filter a lot of websites as spam for no good reason. This happened to my site itself which doesnt have any bad reputation at all, no problems with any other email servers, neither do I spam nor is my site new. So I always have to add a note to users that they need to check for our email in their spam folder and unmark it as spam if they dont see it in their inbox. So keeping this in mind, having the login activation code sent to email address would end up having more problems than simplifying the login process since it relies on the email delivery success which itself isn't a guarantee.
However what I may like with this extension would be to use it as an add-on. Meaning, leaving the current login the way it is and users who prefer to use passwordless login can enable this extension from their UCP. It is always good to give more features to users in the end if its going to make their life easier. Since its a matter of preference, there should be an option for users to choose which method of login they want to use.
However what I may like with this extension would be to use it as an add-on. Meaning, leaving the current login the way it is and users who prefer to use passwordless login can enable this extension from their UCP. It is always good to give more features to users in the end if its going to make their life easier. Since its a matter of preference, there should be an option for users to choose which method of login they want to use.
- Master_Cylinder
- Registered User
- Posts: 361
- Joined: Wed Jul 31, 2013 9:54 pm
Re: Login without password
I'd never give my cell phone number to a random website/forum to use instead of a password. Spam via email is bad enough without the spammers knowing how to text or call me too. I wish we didn't even need to use email addresses because I don't want to be contacted by email (nor cell phone) for those things either. I'd take passwords over sms/email but maybe as a 2 factor auth extension/option for admins/users that prefer it or something.
These kids today...
Buy them books, send them to school and what do they do?
They eat the paste.
Buy them books, send them to school and what do they do?
They eat the paste.