It seems we hear about database breaches way too often. In some cases, the only things compromised are the passwords. We need to get rid of passwords.
What if I told you passwords have been unnecessary for years? There’s a much easier way to authenticate, which only drops the convenience level a little.
While I’m focusing on regular websites, the concepts are still viable for online applications.
When is a user name and password combination considered secure? When the password is so complex you can’t hope to remember it. You need a password manager to manage all your passwords.
Would you believe the best way to authenticate is without passwords? I’m not talking about multi-factor authentication either.
It revolves around web browser cookies and one of the oldest web protocols, e-mail.
I’m not an expert. Feel free to argue with me. I’ve tested this and I know it works. What’s interesting is that the e-mail doesn’t have to be secure (it should be) as long as the website is secure (using SSL/HTTPS).
A secure website can create secure cookies, cookies that can’t be used if intercepted. The procedure would go something like this:
This secure cookie should start the session, letting a secure session cookie take over once the website logs the user in.
The most convenient way of logging in is to enter a user name and an easy to remember password. It’s also the least secure. Are you willing to trade security for convenience?
E-mail clients are available for just about every computing platform we use, from cell phones to desktop computers. Web browsers are available for just about every computing platform we use as well. If an e-mail client isn’t available, using web mail is a good alternative.
There are other ways to authenticate without passwords. I don’t think any of them are any better than this. You don’t have to buy extra hardware or software to do it this way.
If a password isn’t used for anything but your e-mail account, you only have to remember that password, not dozens, hundreds or thousands for all the websites you have to log into to use.
I have three bank accounts. Two in the Philippines and one in the United States. One of the banks in the Philippines sends a code to my phone after I log in, but only if I’m using my laptop. It doesn’t do it if I’m using the app on the phone. The bank in the United States gives me a choice of a code to my phone or one to my e-mail.
It seems like the banks are doing two-factor logins that include a user name and password combination. Again, I don’t think that step is necessary. I guess it doesn’t matter since we’ll all be forced to use biometrics someday.