[d64f396930663ee]

No, I don't get the idea. If I'm requesting a token for a certain user, how can the server reliably determine if I actually am that user? If it just authenticates every request, what's the point of even having a password?

[Zikes]

A new "password" is sent to you over a secure channel you control each time you log in.

For example, say your session has timed out. You click the log in button and provide your username, and a couple of moments later you receive an email with a one-time-use link that you click to take you back to the site and log you in.

Another example: you click log in and provide your username. A few moments later you receive a text message with a 6-7 character one-time-use token that you type into a text field on the web site. The web site then logs you in.

In both cases the login requires you have immediate access to a secure channel you specified at the time you set up the account. The token or link provided via those channels are only valid for a single use and if left unused expire in a fairly brief period regardless.

[pgeorgi]

"a text message" is not a secure channel.

[kelnos]

No, but for many use cases it's secure enough. Especially when you consider the tokens are short-lived and single-use

[thedufer]

"delivered over the channel of your choosing" is the key phrase, where that channel is usually email. Essentially, they've defined "User A" as "people with access to email address B" instead of the more standard "people who know password C".

[justjohn]

Assume the channel delivering the token is email. Then to login you provide your user ID or email, identifying who you are, they immediately email you a token (or link containing the token) to login with.

[d64f396930663ee]

OK nevermind. I get it now, it's just emailing you a new token everytime you want to use the site, or something like that. It's just such a terrible idea I couldn't wrap my mind around it. Who would ever want to use a website like this?

[napoleond]

That's kind of a stretch. There might be valid issues with the approach, but it isn't as mind-numbingly terrible as you're suggesting. You'd just authenticate new devices/browsers every time you needed to--you wouldn't be doing it every time you used the site.

[gagege]

I like the idea of getting a text message on your phone with a very quickly expiring key (60 seconds), or having an authentication app like Google's, which works for a bunch of websites. I do admit, even that's kind of annoying. That's why I started using a password manager.

[thematt]

It's exactly how 2-factor authentication works for banking sites such as Bank of America and Chase.