What if I told you passwords have been unnecessary for years? There’s a much easier way to authenticate, which only drops the convenience level a little.
While I’m focusing on regular websites, the concepts are still viable for online applications.
When is a user name and password combination considered secure? When the password is so complex you can’t hope to remember it. You need a password manager to manage all your passwords.
Would you believe the best way to authenticate is without passwords? I’m not talking about multi-factor authentication either.
It revolves around web browser cookies and one of the oldest web protocols, e-mail.
I’m not an expert. Feel free to argue with me. I’ve tested this and I know it works. What’s interesting is that the e-mail doesn’t have to be secure as long as the website is secure (using SSL/HTTPS).
A secure website can create secure cookies, cookies that can’t be used if intercepted. The procedure would go something like this:
This secure cookie should start the session, letting a secure session cookie take over once the website logs the user in.
The most convenient way of logging in is to enter a user name and an easy to remember password. It’s also the least secure. Are you willing to trade security for convenience?
E-mail clients are available for just about every computing platform we use, from cell phones to desktop computers. Web browsers are available for just about every computing platform we use as well. If an e-mail client isn’t available, using web mail is a good alternative.
There are other ways to authenticate without passwords. I don’t think any of them are any better than this. You don’t have to buy extra hardware or software to do it this way.
If a password isn’t used for anything but your e-mail account, you only have to remember that password, not dozens, hundreds or thousands for all the websites you have to log into to use.
I have choices to make with the CMS project I’m working on (off and on). If I make it for offline use only, uploading completed pages, authentication isn’t really necessary. If I make it work online as well, authentication is definitely necessary. The e-mail method is the only method I’ll use if I set up authentication.