|
|
|
|
|
|
by kcima
5231 days ago
|
|
|
Authentication on most of the web is directly connected with an email address. If you have access to an account's email, then you can have access to the account. Since most people have their email always open, or at least a click or two away from being open, why not skip the password creation altogether? Users are presented with an email field and a button saying something like, "Send me a key to login". An email is sent that contains a direct login link with a temporary token. Login tokens would quickly expire, but cookies could keep the user logged in to the site for extended periods of time. This would be as secure as any password reset system, without having to go through the hassle of setting and remembering a password. It also prevents users from creating week passwords or using the same password across many sites. |
|
|
Also, if all you need is an email to log in, if my email is compromised I have little to no indication that the offender has logged into that service if they delete the email. With the current web standards, if someone reset my password vie email I would no longer be able to log into the account. With your suggestion, my email could be compromised, services could be logged into and I would have no indication.
Some of these problems could be solved, but I'd say the biggest problem now is that it's very far removed from typical web standards.