> Are you able to use your password manager in public places (or on a friend's laptop)?
Any accounts that are accessed on other people's computers should be unimportant (e.g., email accounts that aren't associated with financial accounts) because those computers could be compromised. Unimportant accounts don't require strong passwords, so a password manager isn't needed for accounts that one might access on other people's computers.
I've been trying a password manager. How do you get around the fact that it requires you to put in your master password all the time? You just set it to not require that, or have a really long timeout? Or have a super easy to type master password?
I have a long sentence as my passphrase. 1password will stay unlocked for ~30 minutes (or when I close my computer), so I type it a few times a day. I've gotten very good at typing it, and can crank it out quickly.
It's much much faster than opening my email, and waiting for SMTP & Gmail to get its act together.
I have 1Password and I have it set to only re-lock once my computer locks. Also my master password for 1P is long, but easy to type, so still fast. I usually if I'm a little stoned it takes me a few tries to get it...
I just increase the number of iterations (i.e. key-stretching), so that I can use a shorter password. It'll takes a second or two to actually log in, but that way I don't have to type so much.
A power user is a more advanced user of a particular system/service. They usually push a service/system to it's maximum and know various tips and tricks to gain maximum efficiency from said service.
I applaud any effort to fix the "password problem," but isn't this functionally equivalent to just using the "Forgot my password, email me a reset code" link every time you want to log in?
That is pretty much exactly how I log into sites that I use rarely. I have strong, memorized passwords for the handful of sites I log into frequently. For the rest, I create a good password the first time and don't bother recording it. If I need to log back in in 6 months I just use the password reset feature.
So instead of replying on $WebAppOfTheWeak to lose my password (I'm looking right at you Adobe), I can rely on the two factor auth of my Gmail account for security.
> I can rely on the two factor auth of my Gmail account for security.
Does Gmail now support 2FA? The last time I checked, Gmail supported Google's 2-Step Verification. 2SV includes backup codes, which cause 2SV to be 1FA:
Password + Backup Codes = Something You Know + Something You Know = 1FA
If you have not heard of Persona, or have heard of it but don't see what the big deal is / why it's different to "Login with google", "Login with twitter" etc, then go watch this video. It is a very elegant, decentralised solution to the login problem.
Is this any better than a link that logs you in automatically? A link would be easier and more secure. I've actually been thinking of that as a super simple login method lately, but I don't know if people would use it.
As a proof of concept, I couldn't actually get your site to work because by the time I understood the UI flow, it was throwing an alert saying "Error with that email address". Also, this goes to spam for me... just to let you know.
Your link-to-log-in-automatically is a good idea. I've now added that. The email you receive now has two methods of logging in: 1) the 5-digit security code (the method I prefer) and 2) a direct link (the method you prefer). Thanks for the idea.
No, it's not better than a link that logs you in automatically, just different. I don't think a 5-digit code is hard to remember for a few seconds, so I like this one. Sometimes the auto-links bother me because they might open a different browser than I want, but that's only a minor issue.
I'm thinking of adding a log-in link to the email, in addition to the 5-digit code, for people that prefer that method. That way they'd have both options in the same email.
Also, I really would try to smooth out the login flow even for a POC. If I accidentally enter an old code (even if it's 5 minutes) it won't let me in. That seems OK. However, what happens next is I copy the correct/latest code, but the UI asks for my email again to send another code. When I paste in the code I have copied, it's invalid yet again.
I agree that can be odd. I made this decision to defeat bots that may be trying to fake their way in. Since it's only a 5-digit code it wouldn't take a bot long to guess the right code. By invaliding the code the first time a wrong one is used I think it makes bots very unlikely to guess correctly. I think. I hope.
So now I have to type my email password into my friend's insecure computer every time I want to use your site? I think I'll be using your site a lot less.
Then a new and huge list of security problems arises when you have to bother the user with getting a new code every time if they have the sense of closing their browser and cleaning their cookies each time they close their browser (which could be as often as whenever they leave their computer); the fact that loosing control of a single email makes you lose control to the account in every site using this system, which beats the idea since that email is most likely password protected anyway; etc, etc.
In a nutshell: "In most cases you won't need to do this often" is a HUGE fallacy. It depends on the security rules you work/live by. Plus, it would make it really annoying to use if on top you're using TOR.
Yes, passwords need to be fixed. They are weak, problematic and a security cheddar cheese. It is why we are now implementing two factor authentication. Changing the "fixed password" strategy to a "random and time limited password" strategy isn't exactly solving more issues than it raises. Again, from a security-wise stand point.
May be if this was implemented with something different than your email. Like, for example, a bank tokens or cell phone verifications... which, again, are part of a two factor authentication because by themselves they would be too easy to break.
Think about the following scenario: You use X site with this email auth system and, for example, Thunderbird. Stand up and go to the bathroom or a meeting or whatever without locking your computer. Presto! I won't even need to guess a password and get access. Of course getting access to X site would be the least of your worries in that example, but it illustrates the point I'm trying to make.
I don't think any security mechanism works if you walk away from your computer and leave the programs running (exception something that relies on a NFC on your wrist). For this reason I don't think your scenarious makes this scheme any less secure than what is use on standard sites. Maybe it's even more secure since even if they get access briefly, they cannot learn your password (since you don't have one), and so they cannot later log back on from a different computer.
It was just an example.
My point is, by relaying all entrance control to an email, you are giving it master password access. The only thing you are doing is relaying the security issues to wherever that email is hosted; most of the times, a free and third party service over which you have no control.
No, it is not more secure to keep your car, home and security box keys together.
You are not increasing security, whatsoever. You are setting all the security in an email service, which we already know are not the most secure services at this moment.
May be, such login can be applied inside a company's network, where you have control over the security of the servers, certificates, network encryption, etc.
Now if you think about it from a social engineering perspective. It is much easier to get access to a single email account than to every account you own. And about persistence of access... There's this thing called email forwarder. If I get access to your email, I would create a forwarder for all the email you receive to one I control; chances are you won't notice it in a long time.
Interesting concept - but what happens if you lose control of your email account (as a user)?
Imagine e.g. problems with your DNS (self-hosted and you forgot to renew the domain), outages of your mail provider, or the worst case (for the service provider): your outbound mail server is placed on a blacklist.
This way your entire user management system goes up in smoke without ANY way for you to fix it!
"Send forgot password link to email account on file" is fairly common; if the user loses control of their email (e.g. to an attacker that got access to their password and then immediately changed it) then the user is already screwed in many ways. (I don't think this is ideal, but it seems to be the norm.)
Using email login links instead of passwords doesn't seem especially worse wrt. security than "industry standards".
Except currently, I know most of my passwords. Losing my email access would suck on so many levels I don't know where to start, but at least I can still log into my bank/credit card sites/etc. to start mitigating the potential damage. If everyone went to a system like this, losing your email means losing access to everything you don't have an active cookie for, instantly and with no ability to recover.
Why? If my webserver goes down, I can move the hoster, reboot the server or otherwise fix the problem.
If my webserver or worse, my domain, ends up on a spam blacklist, either due to moronic/malicious users flagging my mails as spam or due to automatic triggering running amok, then I have no way of ever getting my sign-in working again except of praying that the blacklist manager(s) will unblock me. Which rarely happens.
The webserver being in a blacklist can be solved by signing up to some SMTP relay. The domain blacklist can be solved by just buying another.
This is the perspective of the service provider. From the user POV, if their domain gets blacklisted, they can still receive emails, and therefore can still login as usual.
It's a great concept, but like any new authentication mechanism there's a usability and security cost due to the lack of familiarity.
Plenty of authentication mechanisms are "better" than passwords, but passwords are well-understood and flexible, which is a huge advantage for almost all sites.
For me, a big concern is propagation delay in the email. It sends a token that is valid for only 5 minutes, but with greylisting performed by the spam-filtering machinations in my email provider, there is a good chance I will not get that email within 5 minutes. Trying to send a second one will probably result in some kind of exponential back off penalty also.
For that reason alone I don't see how only using email verification as a low-friction way to log in makes sense.
I really don't consider email nearly reliable enough for any important logins.
It might work if I have a password in my password manager as a fallback, but then just using the password manager would be the way to go.
Edit: Actually this could work as the fallback for if I for some reason don't have access to the password manager, so I might use it but not for the intended purpose.
The big problem with something like this is that it introduces an attack vector that could compromise all of its users accounts at once and thus making it a major target for attackers (and spy angencies). I don't see any solution for this in a world where even companies with extensive security know-how like Google are successfully attacked.
...I agree? It seems like you're saying that compromising your email account right now won't allow anyone access to all the sites you've signed up with it, which is pretty much incorrect.
Yes.
But it also, I think, makes it easier to follow certain attack patterns that are already known and commonly used.
For example, setting an email forwarder to an account an attacker controls in most cases won't even be noticed. I think it opens more attack vectors than the good it could do to have this kind of integration rather than just a password manager.
Giving more control to a single manager (in this case an email account) also means you will have to set greater security standards for it. For example, are you going to type your password (which also controls all your accounts) to your friend's, school's, airport's, etc's computer that could be infected?
Passwords are insecure? Of course they are insecure. That's why we are trying to implement two factor authentication. But having 1 account with 2 factor auth controlling 20 accounts with 1 factor auth isn't exactly helping. At all.
> For example, setting an email forwarder to an account an attacker controls in most cases won't even be noticed.
Setting a forwarder where? You can do that now too. It's exactly as safe as what we have now.
> I think it opens more attack vectors than the good it could do to have this kind of integration rather than just a password manager.
I disagree. As long as you have password resets sent by email, whoever has access to your email has access to your accounts.
> Giving more control to a single manager (in this case an email account) also means you will have to set greater security standards for it.
Again, that's exactly what everyone already does.
> For example, are you going to type your password (which also controls all your accounts) to your friend's, school's, airport's, etc's computer that could be infected?
No, I don't log in to my email from anywhere that's not my device, and it has 2fa enabled.
> having 1 account with 2 factor auth controlling 20 accounts with 1 factor auth isn't exactly helping. At all.
How is it not helping? Now you have all your accounts requiring two-factor auth to log in, rather than just some of them. You also only have one server to secure, which will presumably be run by people whose sole job is to secure that server.
I'm glad you have a portable device which you can use to access your email. Not every user does.
But you're right. Please use and implement candy security structures.
I feel like you didn't read anything I've written. You haven't even addressed my main point, you just came in here and spewed FUD about this solution without really discussing anything.
Well, I think we are talking about two completely different points and, per your past response, that nothing I've said really makes sense to you. Of course I think the solution is useful from a UX perspective, it's awesome. But from a security point of view you are leaving all the security out in a single layer and whenever that layer (single email address) fails, then there's nothing left.
>How is it not helping? Now you have all your accounts requiring two-factor auth to log in, rather than just some of them. You also only have one server to secure, which will presumably be run by people whose sole job is to secure that server.
Yes, you are left with only one server to secure, and yes it is most likely run by people who are good at it. But this is exactly why it's a good example of candy security: As soon as you get past the first wall, there is nothing else stopping you from getting access to everything. And you can't really presume all users will have double auth activated, nor that they will be as cautious with that single set of credentials will be.
I think it is less secure because it centralizes all the security in one single layer. AKA the email address you are using to handle the credentials. Once you have access to that email, then you have access to everything. Contrary to what happens now that at least raises more flags when your accounts start getting password changes, etc.
No offense taken. I wasn't sure it was a new idea, just one that I had trouble finding demonstrated anywhere. I couldn't find any simple web site demonstrating just this one single idea, separated from a lot of other issues, so I made this.
Flask-Security looks like a good solution to every new web site having to roll their own code. BTW, It's not clear from Flask-Security that there is a no-password option given that the user model has a password field required.
For those that are interested, I got the ball rolling with email-based logins by building http://swiftlogin.com. I was glad to see the idea improved by Mozilla later that year and all the growth since then.
lol, you got the ball rolling. I built a successful site that did this in 2003. I'm not sharing a link because I don't want to out my identity. But nice work on putting up your source and promoting the idea.
That was a problem in the meteor hosting sites number of free emails per day, which broke quickly after this went high on HN. I've patched the meteor code to fix that issue.
