EDIT: In fact, Persona goes one better. Persona has the browser act as an intermediary between your e-mail provider and the site that you're logging in to, so that the e-mail provider doesn't get to see the source of the authentication request, and the site that you're authenticating with doesn't get any further details beyond your e-mail address.
The intermediary part is a blessing and a curse. If the site you're logging into doesn't directly verify with your email provider, then if anyone gets your temporary signing token they can log in anywhere you use Persona, and you have no way to revoke it or even prevent future ones until the token expires naturally. Even if this is mere seconds, it's plenty of time for a scripted attack to try hundreds or thousands of sites[1].
This is noticeably unlike OpenID / OAuth[2] / many name/password systems, where you can revoke access to specific tokens / sites on the ID provider, and where many username/password sites reject all old cookies after you change your password. Anyone with your token / cookie / etc will immediately lose access with this, and the provider can prevent new sites from using old login info.
[1]: and remember that they don't "phone home" to the Persona provider, so there can't be any rate limiting. virus -> botnet -> millions within seconds is totally possible, if unlikely and costly.
[2]: yeah, OAuth ain't an ID system. same basic structure though.
> the site that you're authenticating with doesn't get any further details beyond your e-mail address
But Mozilla's servers (or the email provider, but I don't expect to see any significant uptake of this feature) get information in the HTTP requests, whether they like it or not, and they're based in the US.
Right now, our fallback identity provider (for email providers without native support) requires that people set a password to avoid having to confirm their email every time. However, we're currently exploring the idea of making the password optional and letting users click an email link at every login, just like the author of that article suggests.
I don't think it works for everyone, for example some people read their email on a different device, but it would certainly work for those who always keep their webmail open in a tab.
I've implemented a site before that did exactly that, because logins would be very infrequent so users were probably just forget a password anyway. It worked great.
BUT, it would drive me nuts if I had to do that every time I logged into my bank, for example, because sometimes e-mails take 1-2 min to arrive, very occasionally even half an hour. They get queued up somewhere along the way, who knows -- maybe the spam filter's being overloaded. Sometimes your organization's e-mail simply goes down. Sometimes your webmail goes down. Heck, sometimes your e-mail gets inadvertently disabled.
If it were instantaneous, and your e-mail account always worked perfectly, then it would be great. But the way things are set up right now... this isn't a viable option for a lot of sites. And it's certainly not going to replace your e-mail password ;)
> "sometimes e-mails take 1-2 min to arrive, very occasionally even half an hour"
That's because SMTP (the protocol that moves email around) doesn't guarantee delivery in any specific time period. Many MTAs (message transfer agents) are configured by default use retry intervals measured in minutes, not seconds.
Relying on email for authentication means asking your users to wait minutes, not seconds, and asking users to wait minutes to get logged in to your website is horrible usability.
...sometimes your email provider could temporarily be on some block list
For the most part I consider email to be unreliable. There are simply too many things that can go wrong. I'm also amazed that there hasn't been some kind of messaging protocol to replace the damn thing (throw it on top of http even). I guess spam really ruined it for everyone.
I found my experience with Fork the Cookbook[0] the same as well.
Also, add to the fact that this is a novel method, I get a lot of emails asking why they get new passwords everytime. If I were to rewrite FtC today, I'd go with Persona.
And believe it or not, some people do not use, like, or trust Facebook or Twitter.
Yup, I'm one of those people.
I don't use Facebook, and it's unreasonable to expect me to sign up for a Facebook account so that I can use your service.
I do use Twitter, but I'd rather not share my account details (even just the username) with someone I've just met.
I've always thought that being able to explore the web of information out there about me was kind of creepy, and I'm not about to make it easier for someone to do by creating connections between the accounts I have with disparate service providers. I like when my data is siloed, and only shared on my terms, with my explicit consent.
Not only that but facebook may block your account at a whim. Happened to me once for posting 'explicit pictures'. The picture was not even explicit, apparently something tripped their automatic 'skin detection system'. But the result ? I couldn't log into any 'facebook connected' sites.
Better to create separate accounts on each site and minimize dependencies. Also, if you lose your facebook password, it's just your facebook account that'll potentially get affected.
From a user experience point of view, it's much more effort (at least 3 clicks more) to have to open an email client, open an email, and click a link, as opposed to just entering a password.
Also as airlinenut mentioned, it would allow others to send you an annoying email just by entering your email address, and any methods to prevent this (captcha etc) will just make it even harder for the user.
People sending you annoying emails with this method is not really an issue as anyone that knows your email can (and does) find easy ways to annoy you (spam, phishing, chain letters etc.). I do agree however that the user experience is a deal breaker. I'd rather enter a password than open a client and wait for an email to arrive just so I can log in.
This sentence implies to me that under the current system, sites need cryptography, because sending login information in plaintext is not secure enough.
...and that the solution is to use email, because we already treat it as if it's secure.
...even though it sends the data in plaintext.
Okay, so most end-users probably accesses their email via https these days, but it's a (potentially) long journey from the website to the email provider's server.
Is any of that server-to-server journey ever encrypted? I'm no expert, but my impression has always been that it's not.
> Is any of that server-to-server journey ever encrypted?
It can be, thanks to RFC 3207 (STARTTLS).
However, unless you configure your sending MTA to require TLS (and in turn give up the ability to send email to a large swath of the internet) you have no protection against a MITM adversary hiding the recipient's advertisement of STARTTLS.
A key difference here is that the proposal is to send a short-lived login token via email. Even if this is intercepted the attacker will not be able to do much before getting caught -- the window is going to be less than a minute. After that the token is a cookie stored on the user's computer.
It is also worth pointing out that a number of sites allow passwords to be reset via email, and so an attacker who can read your email can potentially gain access anyway.
I tried a similar approach on https://www.moraleapp.com with mixed results. It makes sense for a manager/boss to have an account, but I didn't want to have every team member sign up for yet another service. So each email sent out gets a randomly generated token that allows the recipient to "log in" (all responses are anonymous, each sent email has a token - not each email address). I think the idea is really great and helps with adoption within a team, but it has also led to some confusion because there is also a traditional Login page.
My take-away is that it is probably better to go all-in on one approach (all email-based or regular logins) than a half measure. It is kind of interesting because it seems to cause trouble for users that are semi-technical; the ones that know how a username/login works in general, but are thrown for a loop with this whole "email is how you login to our special app!" thing. Super technical users understand and super newbies don't really seem to notice, but those middle ground users are a bit confused.
I guess it is as good as sending an email with a link to reset a password. In theory, the link that gives you access to your account couldn't be used after X minutes and could be use only once, making it useless for future attempts.
Allow the user to sign in with their password, if they cannot remember their password or would rather sign in with their email then allow them to receive an email containing a token that logs them in. From their account settings they can change their password.
Since virtually every service has a 'forgot password' option, all the OP is suggesting is to formalize this as a default login process for second tier services that are too much of a bother to keep track of.
The net positive, if this were implemented across the board, is that users would focus their efforts on securing a few high value accounts, versus reusing the same password across dozens of low value accounts (chain, meet weakest link).
This is actually the same method we use for logins, when the cookie is absent or expired, at a forum I'm currently running. They get sent a unique login token that expires in a few minutes (or is force expired if they request a resend of the login token) and get presented a CAPTCHA after following the link if they've already tried a few times.
Login email delay increases exponentially with each request.
You could have one email account in which case it becomes the single point of failure / attack and you are only as secure as that email provider.
Or you have multiple email accounts in which case you have multiple email account passwords to remember manage. You might as well have multiple site passwords
> It would tremendously simplify for services. They now need not implement any cryptography.
Uhh.. I sure hope the cookie tokens are not stored directly on the server-side, but rather verified against a (cryptographic) hash of same. These credentials are as valuable to an attacker as a password (albeit relatively short-lived).
Besides the problems with email delivery speeds, which tend to make this frustrating in reality, this also has the problem of being different. And users don't really want to deal with different just to log in to your site. They know userid + password, and there is no learning curve.
I don't know if I would trust this as the sole authentication method for any of my online accounts, but this could be useful as a multi-factor authentication method instead.
[+] [-] quanticle|12 years ago|reply
EDIT: In fact, Persona goes one better. Persona has the browser act as an intermediary between your e-mail provider and the site that you're logging in to, so that the e-mail provider doesn't get to see the source of the authentication request, and the site that you're authenticating with doesn't get any further details beyond your e-mail address.
[1] http://www.mozilla.org/en-US/persona/
[+] [-] Groxx|12 years ago|reply
This is noticeably unlike OpenID / OAuth[2] / many name/password systems, where you can revoke access to specific tokens / sites on the ID provider, and where many username/password sites reject all old cookies after you change your password. Anyone with your token / cookie / etc will immediately lose access with this, and the provider can prevent new sites from using old login info.
[1]: and remember that they don't "phone home" to the Persona provider, so there can't be any rate limiting. virus -> botnet -> millions within seconds is totally possible, if unlikely and costly.
[2]: yeah, OAuth ain't an ID system. same basic structure though.
[+] [-] benatkin|12 years ago|reply
But Mozilla's servers (or the email provider, but I don't expect to see any significant uptake of this feature) get information in the HTTP requests, whether they like it or not, and they're based in the US.
[+] [-] fmarier|12 years ago|reply
Right now, our fallback identity provider (for email providers without native support) requires that people set a password to avoid having to confirm their email every time. However, we're currently exploring the idea of making the password optional and letting users click an email link at every login, just like the author of that article suggests.
I don't think it works for everyone, for example some people read their email on a different device, but it would certainly work for those who always keep their webmail open in a tab.
[+] [-] bapi|12 years ago|reply
[+] [-] crazygringo|12 years ago|reply
BUT, it would drive me nuts if I had to do that every time I logged into my bank, for example, because sometimes e-mails take 1-2 min to arrive, very occasionally even half an hour. They get queued up somewhere along the way, who knows -- maybe the spam filter's being overloaded. Sometimes your organization's e-mail simply goes down. Sometimes your webmail goes down. Heck, sometimes your e-mail gets inadvertently disabled.
If it were instantaneous, and your e-mail account always worked perfectly, then it would be great. But the way things are set up right now... this isn't a viable option for a lot of sites. And it's certainly not going to replace your e-mail password ;)
[+] [-] bradleyland|12 years ago|reply
That's because SMTP (the protocol that moves email around) doesn't guarantee delivery in any specific time period. Many MTAs (message transfer agents) are configured by default use retry intervals measured in minutes, not seconds.
Relying on email for authentication means asking your users to wait minutes, not seconds, and asking users to wait minutes to get logged in to your website is horrible usability.
[+] [-] yogo|12 years ago|reply
For the most part I consider email to be unreliable. There are simply too many things that can go wrong. I'm also amazed that there hasn't been some kind of messaging protocol to replace the damn thing (throw it on top of http even). I guess spam really ruined it for everyone.
[+] [-] zzzcpan|12 years ago|reply
[+] [-] chewxy|12 years ago|reply
Also, add to the fact that this is a novel method, I get a lot of emails asking why they get new passwords everytime. If I were to rewrite FtC today, I'd go with Persona.
[0] http://forkthecookbook.com
[+] [-] duck|12 years ago|reply
[+] [-] brianwillis|12 years ago|reply
Yup, I'm one of those people.
I don't use Facebook, and it's unreasonable to expect me to sign up for a Facebook account so that I can use your service.
I do use Twitter, but I'd rather not share my account details (even just the username) with someone I've just met.
I've always thought that being able to explore the web of information out there about me was kind of creepy, and I'm not about to make it easier for someone to do by creating connections between the accounts I have with disparate service providers. I like when my data is siloed, and only shared on my terms, with my explicit consent.
[+] [-] ashray|12 years ago|reply
Better to create separate accounts on each site and minimize dependencies. Also, if you lose your facebook password, it's just your facebook account that'll potentially get affected.
[+] [-] refrigerator|12 years ago|reply
From a user experience point of view, it's much more effort (at least 3 clicks more) to have to open an email client, open an email, and click a link, as opposed to just entering a password.
Also as airlinenut mentioned, it would allow others to send you an annoying email just by entering your email address, and any methods to prevent this (captcha etc) will just make it even harder for the user.
[+] [-] greensand|12 years ago|reply
[+] [-] biggfoot|12 years ago|reply
[+] [-] lkbm|12 years ago|reply
This sentence implies to me that under the current system, sites need cryptography, because sending login information in plaintext is not secure enough.
...and that the solution is to use email, because we already treat it as if it's secure.
...even though it sends the data in plaintext.
Okay, so most end-users probably accesses their email via https these days, but it's a (potentially) long journey from the website to the email provider's server.
Is any of that server-to-server journey ever encrypted? I'm no expert, but my impression has always been that it's not.
[+] [-] prutschman|12 years ago|reply
It can be, thanks to RFC 3207 (STARTTLS).
However, unless you configure your sending MTA to require TLS (and in turn give up the ability to send email to a large swath of the internet) you have no protection against a MITM adversary hiding the recipient's advertisement of STARTTLS.
[+] [-] betterunix|12 years ago|reply
It is also worth pointing out that a number of sites allow passwords to be reset via email, and so an attacker who can read your email can potentially gain access anyway.
[+] [-] swanson|12 years ago|reply
My take-away is that it is probably better to go all-in on one approach (all email-based or regular logins) than a half measure. It is kind of interesting because it seems to cause trouble for users that are semi-technical; the ones that know how a username/login works in general, but are thrown for a loop with this whole "email is how you login to our special app!" thing. Super technical users understand and super newbies don't really seem to notice, but those middle ground users are a bit confused.
[+] [-] parsnips|12 years ago|reply
[+] [-] eberfreitas|12 years ago|reply
[+] [-] zippergz|12 years ago|reply
[+] [-] Kequc|12 years ago|reply
This is already how most websites work isn't it?
[+] [-] zzzcpan|12 years ago|reply
[+] [-] yuliyp|12 years ago|reply
[+] [-] brianmcconnell|12 years ago|reply
The net positive, if this were implemented across the board, is that users would focus their efforts on securing a few high value accounts, versus reusing the same password across dozens of low value accounts (chain, meet weakest link).
[+] [-] eksith|12 years ago|reply
Login email delay increases exponentially with each request.
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] duck|12 years ago|reply
[+] [-] ripvanwinkle|12 years ago|reply
You could have one email account in which case it becomes the single point of failure / attack and you are only as secure as that email provider.
Or you have multiple email accounts in which case you have multiple email account passwords to remember manage. You might as well have multiple site passwords
[+] [-] daave|12 years ago|reply
Uhh.. I sure hope the cookie tokens are not stored directly on the server-side, but rather verified against a (cryptographic) hash of same. These credentials are as valuable to an attacker as a password (albeit relatively short-lived).
[+] [-] capex|12 years ago|reply
[+] [-] smackfu|12 years ago|reply
[+] [-] alexsmolen|12 years ago|reply
[+] [-] samweinberg|12 years ago|reply
[+] [-] MaxGabriel|12 years ago|reply