This entire article assumes that "it is pretty inconvenient to have to put every single one of them into a password manager" and then goes on to make that case that it's preferable to check your email account or phone for a temporary password???
Just from a UX perspective - security aspects aside - this is worse by a magnitude. Password managers are nowadays a single click in your browser. Use them.
My issue with how things work currently is that logging into a native mobile app is not nearly as easy as logging into a website. That process has to improve. That why I like logging in with Facebook, Twitter or GitHub.
Still what I would prefer is a single trustworthy service which does not compromise my privacy for the purpose of advertising. I could use that service to log into any service which would integrate with this single service to get a one-time password to the user on the computer or mobile device they are using.
As the user I would be able to use an mobile app and browser plugins to get the one-time password to conveniently log in with as few steps as possible.
> Just from a UX perspective - security aspects aside - this is worse by a magnitude.
This is not true, clicking a link in an email, or copying a number from an sms is much easier than first logging into my password manager, finding the entry and then copy it into the field.
Also, this also works for apps as well, not just the browser.
Besides, password manager usage might still be quite low. So what the writer advocates is not less secure than having a single password for almost all their websites, like most people have.
The writer is also incorrect about the nature of obsolescence. Something only becomes obsolete when a better system prevails and the old system falls out of use.
This has not happened, and if it ever does it probably won't look anything like what the author proposes.
Wait, what? So instead of entering a password a password is sent to me via text message or email with a temporary code, sort of like two-factor authentication without the two-factor?
So how do I login to my email account for example if I need to login first to my email and get the temporary password? It's a chicken and egg problem. I can't login to my email to get my temporary code, but I am trying to login to my email.
Somewhat flawed idea in theory, even more horrible in practice. I hope this doesn't become a real thing. I will refuse to use any site that implements this flawed passwordless solution.
> sort of like two-factor authentication without the two-factor?
If you don't have 2-factor, which most sites don't, then it is 1-factor. This is replacing that 1-factor with another 1-factor.
> So how do I login to my email account for example if I need to login first to my email and get the temporary password? It's a chicken and egg problem.
You are taking him too literally. While he did say it could replace passwords, he obviously didn't mean email auth. Email auth would probably still require a password. Since many have their email password saved, they may not usually have to enter that anyway, most of the time.
> Somewhat flawed idea in theory, even more horrible in practice. I hope this doesn't become a real thing. I will refuse to use any site that implements this flawed passwordless solution.
You've not presented any valid argument against it. Why is it flawed? If it is horrible in practice then why do many companies use SMS as secondary auth (for the "2" in 2-factor)?
Am I the only one who thinks that launching my e-mail client, getting mail, probably scratching around in the Spam folder etc sounds like a fairly hellish user experience?
Mozilla Persona authenticates you using your email without the need to check your email every time (and without the need to enter your email password if you are already logged in).
Persona is awesome for that, and for the "no central authority" thing. To bad it lost momentum and seems an awesome relict inside of Mozilla.
I don't like this proposal, simply because e-mail and SMS are not secure. Something like SQRL sounds much better to me, in contrast.
> What is the benefit over traditional usernames & passwords?
- There are no usernames or passwords to have compromised, lost or stolen.
- No keyboard interaction, great for using public computers that could log your keystrokes.
- You only need your Master Key, no lists of usernames and passwords to keep track of.
- There is NO WAY to link one person across sites based only on the site-specific public key, websites may ask for more infomation that could be tracked.
The problem with this is that it's not as convenient as passwords and people hate things that are even slightly inconvenient.
Typing a username and password is very fast assuming that you remember them both (even faster with a password manager).
Now you have to log in to your email every time you want to log into any website. This is especially inconvenient if you are a webmail only user. Or you have to get a code sent to your phone which you have to retype if you want to use the website on a different device.
What happens if your email provider goes down, or your phone isn't working?
>The problem with this is that it's not as convenient as passwords and people hate things that are even slightly inconvenient.
This is generally true but I wouldn't go that far.
One example of something that is more than 'slightly inconvenient', while being introduced globally fairly recently, is captchas. Sure, nobody likes them but it isn't like people have boycotted sites that have them.
(another example would be requirements for longer passwords with digits and mixed letters in them - a requirement that was mostly non-existent 10 years ago)
Sure, email authentication is probably more inconvenient than my examples, but you can definitely make improvements to it (a browser extension similar to those used by password managers for example can greatly reduce the inconvenience) if it becomes the standard.
I just want to note that passwords are not the only sensitive information that go through a server you are communicating with. Even if there were no passwords, I would consider Heartbleed just as bad.
Why is this article promoting a seriously flawed form of 2 factor auth? SMS based 2fa is easily broken compared to protocols based on a shared secret and invalidated using time or some kind of nonce counter :/
Edit: ah nevermind, it's promoting this as the _only_ factor which is even more idiotic.
This is quite a stupid idea.
How exactly am I supposed to log into my passwordless email to check the email containing the code to get into my email ?
The assumption that "the ability to send an email or SMS to users reliably and quickly" doesn't mean the user will receive it in a timely manner or at all.
But even assuming this article is actually sound and works as described, would replacing password with email/sms authentication improve the overall security ?
I'm not so sure that sending unencrypted email containing authentication data is improving security or that trusting a phone to be handled by its owner at all time is a sane assumption to make.
Then there is the issue of the whole authentication process being turned into the quite annoying and not always working password reset process which often is not handled in a secure manner.
The correct way to fix this stale password issue is simply to revoke passwords and ask users to choose a new one as is usually done when security has been breached.
No, you use a shared secret which both you and the server can use to generate a one-time password. You send the OTP (over something like TLS still, yeah) and the server checks that it is valid and makes sure it can't get replayed.
This is DANGEROUS advice. Email is typically one of the easiest channels to access. There are dozens of ways that someone can get access to your email, it shouldn't even remotely be considered secure.
For low security content it can be acceptable, I've used this method for email subscription centres before, however the only actions a user could do is manage their email subscription and thus it was considered to be acceptable. The idea that this method would be used for a SaaS product that is being paid for is mind-boggling.
Thats not to say it couldn't be used in multi-factor authentication, but tying the only authentication to email is creating a giant single point of failure from an insecure system with a shoddy security history.
WTF? Email and SMS are not even remotely secure channels for transmission of data. Granted SMS is harder to get too but your telco typically stores all your messages (for a period of time) for law enforcement reasons and everything is passed in the clear for emails.
You are better off using a trick like this one: http://blog.rabidgremlin.com/2009/12/28/tip-creating-easy-to... to create a unqiue but easy to remember password for all the sites you use. Of course you want to use at least 4 different patterns one for banking, one for email, one social and one for the rest of the web...
I would go out on a limb and say it would probably be easier to sniff these codes from email and sms traffic than it would be to extract passwords from transient memory via Heartbleed.
Not all passwords are equally valuable. Even if you are subscribed to 268 different services, it's quite likely most of them are not of particular importance to you.
One-time passwords are old as dirt. But they're also susceptible to MITM, and when TLS is vulnerable or you send through a plaintext/poorly encrypted channel (SMS), it especially makes no difference. Then, OTPs turn your mobile device or email address into a single point of failure, thus raising interest for their compromise.
This article is written as if it were suggesting two-factor authentication. In actuality it's suggesting a new one-factor authentication. A single factor that my phone company and device manufacturer can access, no less.
On Android, you can give apps permission to read your text messages. The effect, were this author's advice followed, would be that apps get access to all of your other services.
I've tried the email > login flow, and my experience was that users hate having to check their email to log in. Power users didn't mind, because they often have their email very readily accessible at all times. It was much harder to convince average users that it wasn't an extra layer of effort (a perception problem).
YubiKeys are quite a good solution to this issue. OTP always, and a unique User ID as well. It can even go so far as plug in the key, press go and you're all ready, no usernames or passwords needed.
[+] [-] yuvadam|12 years ago|reply
Just from a UX perspective - security aspects aside - this is worse by a magnitude. Password managers are nowadays a single click in your browser. Use them.
[+] [-] hbbio|12 years ago|reply
[+] [-] smallsharptools|12 years ago|reply
Still what I would prefer is a single trustworthy service which does not compromise my privacy for the purpose of advertising. I could use that service to log into any service which would integrate with this single service to get a one-time password to the user on the computer or mobile device they are using.
As the user I would be able to use an mobile app and browser plugins to get the one-time password to conveniently log in with as few steps as possible.
[+] [-] usethis|12 years ago|reply
This is not true, clicking a link in an email, or copying a number from an sms is much easier than first logging into my password manager, finding the entry and then copy it into the field.
Also, this also works for apps as well, not just the browser.
Besides, password manager usage might still be quite low. So what the writer advocates is not less secure than having a single password for almost all their websites, like most people have.
[+] [-] bashcoder|12 years ago|reply
This has not happened, and if it ever does it probably won't look anything like what the author proposes.
[+] [-] pa5tabear|12 years ago|reply
I'm interested in a password manager that works seamlessly on Android.
[+] [-] DigitalSea|12 years ago|reply
So how do I login to my email account for example if I need to login first to my email and get the temporary password? It's a chicken and egg problem. I can't login to my email to get my temporary code, but I am trying to login to my email.
Somewhat flawed idea in theory, even more horrible in practice. I hope this doesn't become a real thing. I will refuse to use any site that implements this flawed passwordless solution.
[+] [-] sadfnjksdf|12 years ago|reply
> sort of like two-factor authentication without the two-factor?
If you don't have 2-factor, which most sites don't, then it is 1-factor. This is replacing that 1-factor with another 1-factor.
> So how do I login to my email account for example if I need to login first to my email and get the temporary password? It's a chicken and egg problem.
You are taking him too literally. While he did say it could replace passwords, he obviously didn't mean email auth. Email auth would probably still require a password. Since many have their email password saved, they may not usually have to enter that anyway, most of the time.
> Somewhat flawed idea in theory, even more horrible in practice. I hope this doesn't become a real thing. I will refuse to use any site that implements this flawed passwordless solution.
You've not presented any valid argument against it. Why is it flawed? If it is horrible in practice then why do many companies use SMS as secondary auth (for the "2" in 2-factor)?
[+] [-] Angostura|12 years ago|reply
[+] [-] y0ghur7_xxx|12 years ago|reply
Persona is awesome for that, and for the "no central authority" thing. To bad it lost momentum and seems an awesome relict inside of Mozilla.
[+] [-] higherpurpose|12 years ago|reply
> What is the benefit over traditional usernames & passwords?
- There are no usernames or passwords to have compromised, lost or stolen.
- No keyboard interaction, great for using public computers that could log your keystrokes.
- You only need your Master Key, no lists of usernames and passwords to keep track of.
- There is NO WAY to link one person across sites based only on the site-specific public key, websites may ask for more infomation that could be tracked.
http://sqrl.pl/guide/
https://www.grc.com/sqrl/sqrl.htm
[+] [-] jiggy2011|12 years ago|reply
Typing a username and password is very fast assuming that you remember them both (even faster with a password manager). Now you have to log in to your email every time you want to log into any website. This is especially inconvenient if you are a webmail only user. Or you have to get a code sent to your phone which you have to retype if you want to use the website on a different device.
What happens if your email provider goes down, or your phone isn't working?
[+] [-] Tenoke|12 years ago|reply
This is generally true but I wouldn't go that far.
One example of something that is more than 'slightly inconvenient', while being introduced globally fairly recently, is captchas. Sure, nobody likes them but it isn't like people have boycotted sites that have them.
(another example would be requirements for longer passwords with digits and mixed letters in them - a requirement that was mostly non-existent 10 years ago)
Sure, email authentication is probably more inconvenient than my examples, but you can definitely make improvements to it (a browser extension similar to those used by password managers for example can greatly reduce the inconvenience) if it becomes the standard.
[+] [-] borplk|12 years ago|reply
[+] [-] arkonaut|12 years ago|reply
[+] [-] anaphor|12 years ago|reply
Edit: ah nevermind, it's promoting this as the _only_ factor which is even more idiotic.
[+] [-] nfoz|12 years ago|reply
https://medium.com/cyber-security/9ed56d483eb?utm_source=Twi...
i.e. all the twitter campaign garbage. Instead use this:
https://medium.com/cyber-security/9ed56d483eb
[+] [-] Sprint|12 years ago|reply
[+] [-] dang|12 years ago|reply
[+] [-] bigbugbag|12 years ago|reply
The assumption that "the ability to send an email or SMS to users reliably and quickly" doesn't mean the user will receive it in a timely manner or at all.
But even assuming this article is actually sound and works as described, would replacing password with email/sms authentication improve the overall security ? I'm not so sure that sending unencrypted email containing authentication data is improving security or that trusting a phone to be handled by its owner at all time is a sane assumption to make.
Then there is the issue of the whole authentication process being turned into the quite annoying and not always working password reset process which often is not handled in a secure manner.
The correct way to fix this stale password issue is simply to revoke passwords and ask users to choose a new one as is usually done when security has been breached.
[+] [-] daraosn|12 years ago|reply
Secure Channel, like OpenSSL you mean?
[+] [-] anaphor|12 years ago|reply
[+] [-] pduszak|12 years ago|reply
[+] [-] jlawer|12 years ago|reply
For low security content it can be acceptable, I've used this method for email subscription centres before, however the only actions a user could do is manage their email subscription and thus it was considered to be acceptable. The idea that this method would be used for a SaaS product that is being paid for is mind-boggling.
Thats not to say it couldn't be used in multi-factor authentication, but tying the only authentication to email is creating a giant single point of failure from an insecure system with a shoddy security history.
[+] [-] Rabidgremlin|12 years ago|reply
You are better off using a trick like this one: http://blog.rabidgremlin.com/2009/12/28/tip-creating-easy-to... to create a unqiue but easy to remember password for all the sites you use. Of course you want to use at least 4 different patterns one for banking, one for email, one social and one for the rest of the web...
[+] [-] anaphor|12 years ago|reply
[+] [-] ams6110|12 years ago|reply
[+] [-] vezzy-fnord|12 years ago|reply
One-time passwords are old as dirt. But they're also susceptible to MITM, and when TLS is vulnerable or you send through a plaintext/poorly encrypted channel (SMS), it especially makes no difference. Then, OTPs turn your mobile device or email address into a single point of failure, thus raising interest for their compromise.
[+] [-] nostromo|12 years ago|reply
This article is written as if it were suggesting two-factor authentication. In actuality it's suggesting a new one-factor authentication. A single factor that my phone company and device manufacturer can access, no less.
On Android, you can give apps permission to read your text messages. The effect, were this author's advice followed, would be that apps get access to all of your other services.
[+] [-] adventured|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] ybaumes|12 years ago|reply
[+] [-] yuvadam|12 years ago|reply
[+] [-] bearbin|12 years ago|reply
[+] [-] djjaxe|12 years ago|reply