[mmatants]

Companies like Hover have a user/password scenario unlike e.g. an email provider: users only visit their site one/two times a year (to renew a domain or whatever).

So I wonder if they should instead allow "authentication-by-email". Basically, make it work just like current reset emails (with an embedded randomized link that allows access), but prevent the link from expiring.

Obviously that suggestion has a lot of holes in it, too, but it's something to consider, especially since it's not a new idea.

Either way, it's a real amateur move to do away with hashing.

[Cushman]

I love this idea. 90% of the time when I use a forgot password link, I'm really trying to auth-by-email. I'm not sure how it would work for reusable links, since that becomes auth-by-URL, which seems significantly less secure— maybe putting HTTP auth in the url would be less likely to be logged at any point?

[Joakal]

Auth emails are like plaintext passwords. Best combo would be your public key stored on their server. Any future requests, they send you the PGP'd email.

[makmanalp]

Isn't this basically the same thing as e-mailing yourself your password?

[woodall]

Not if the link can time-out or expire after X [days, minutes, seconds, ect]. When I think of emailing my self the password, I think of storing it in plain text in my email account. When I think of authentication via email I think of a one time use link that allows me to log into a session.

[repsilat]

Email is sent in plaintext. It'd be easy enough for an attacker to request an email authentication (which it then sniffs in transit). Expiry time doesn't help much.

Email auth really should be done as Joakal says - your public key stored on their server when you sign up, email auth is encrypted. Trouble is, it's "too hard" for "normal people". If gmail/outlook etc supported it, though, it could catch on.

[Cushman]

We're starting out from the position that my email is the keys to my digital castle... good or bad as that may be, if someone can reliably sniff my email in transit they already own my life.

[Cushman]

In the same way that forgot password links are. The key difference is that the token expires on its own.

[Johngibb]

wouldn't oauth (by gmail perhaps?) be a better solution to this?

[Cushman]

It is oauth for all intents and purposes— a third party (your email server) authenticates you as the owner of the email address and passes you a secure token.

It's worse in some ways (control, usability, security) and better in others (simpler technologically, everyone has it).

[freejack]

Thanks for the great idea! We implemented this in Hover, details here: http://help.hover.com/2011/07/08/hover-adds-no-hassle-sign-i...