Today's Question:  What weekend projects have you created?        GIVE A SHOUT

Technical Article => Security =>  Code Security

Password-less login

  sonic0002      2012-11-05 12:29:55      5,431    0

Most websites need user login in order to provide personalized content to visitors. The usual way is to request user to register an user account.

Actually, this is not so appealing since if we need to remember one password for each website, it's troublesome, while for developers, it's their responsibility to protect password, once password is leaked, then it's a big headache to a website's business and reputation.

So long time ago people started thinking about password-less login, this is a big release for both users and websites. We discuss some common ways of password-less login.

1. OpenID

OpenID is the earliest way of password-less login. The rationale is each URL on the Internet represents an unique webpage, this means that URL is unique. So we can use URL to represent users.

So users no need to enter username on a website adopting OpenID, users only need to enter the URL representing him/her. Then this URL will be verified, if it's verified, then allowing the user to login.

OpenID has two drawbacks:

  1. Need server side support
  2. Using URL to represent user, it's not so intuitive and it's difficult to understand.

2. Third party accounts

The truth about OpenID is to use third party to verify user identity, then it's obvious it's equal to login to the third party website.

Hence you can directly tell your users that they can use third party accounts to login.

The advantage is that it's easy to be accepted by users. The disadvantage is that the business of these websites will depend on third part websites. For example, many websites now needs Facebook accounts, if Facebook has some problems, then these websites will be affected.

3. Persona

Last year, Mozilla proposed Persona, it's a so-called password-less login.

It has the same effect as OpenID, Persona will use Email to authenticate, when user enters his/her email, website will send verification request to the Email server.

Although this is proposed, its future is not so bright. Firstly, its technique requirements and workflow are more complex than OpenID; Secondly, it requires server side support, it's hard to imagine that most Email servers will deploy Persona.

4. OAuth

OAuth protocol is the same as third party accounts.

The third party accounts provide identity verification through third party website, it's a kind of authentication; OAuth is one step further, third party websites allow you to request their data directly, it's a kind of authorization service.

Because it relates to user data change, so OAuth is stricter than OpenID.

5. Email login

The above four methods are mainstream password-less login methods now. Here is another simple way to achieve the same, it's proposed by Ben Brown in July. The implementation is simple, users only need to enter their Email.

Once the Email is entered, the server will send an mail to this Email address, it includes a login link, users only need to click on this link and then they can be allowed to login to the website.

The login link is effective in a limited period, but we can use cookie to allow user to be in login state for a long time. If the cookie is expired, then the website will resend one login link to the Email address.

The whole process is through the Email, it's a true password-less login method. It's natural and easy to understand, more importantly, it used the present Email protocol, there is no need to deploy codes on Email servers.

One drawback is that it needs user to login to their emails. In some situations, it's not so convenient.

There are other methods which password-less login, such as Microsoft proposes using picture password to login.

Author:阮一峰 Source :



Share on Facebook  Share on Twitter  Share on Google+  Share on Weibo  Share on Reddit  Share on Digg  Share on Tumblr    Delicious



No comment for this article.


Eat fast, eat more

By sonic0002