RT Cunningham

Passwords and Password Resets – It’s Time to Get Rid of Passwords

It seems we hear about database breaches way too often. In some cases, the only things compromised are the passwords. We need to get rid of passwords.

What if I told you passwords have been unnecessary for years? There’s a much easier way to authenticate, which only drops the convenience level a little.

User Names and Passwords

While I’m focusing on regular websites, the concepts are still viable for online applications.

When is a user name and password combination considered secure? When the password is so complex you can’t hope to remember it. You need a password manager to manage all your passwords.

Would you believe the best way to authenticate is without passwords? I’m not talking about multi-factor authentication either.

It revolves around web browser cookies and one of the oldest web protocols, e-mail.

E-mail and Cookies for Authentication

I’m not an expert. Feel free to argue with me. I’ve tested this and I know it works. What’s interesting is that the e-mail doesn’t have to be secure as long as the website is secure (using SSL/HTTPS).

A secure website can create secure cookies, cookies that can’t be used if intercepted. The procedure would go something like this:

  1. The user enters an e-mail address and only that at a website to start the login process.
  2. The website sets a secure cookie in the user’s web browser and stores a matching token at the server. The website then sends an e-mail message with a random link (sometimes called a “magic link”). The link expires shortly thereafter.
  3. The user receives the e-mail message, clicks the link and heads to the login page at the website.
  4. The website checks to make sure the secure cookie matches the stored token. It checks to make sure the link is valid and hasn’t expired.
  5. The website logs the user in, starts the session and puts the user on the right page.

This secure cookie should start the session, letting a secure session cookie take over once the website logs the user in.

A Matter of Convenience

The most convenient way of logging in is to enter a user name and an easy to remember password. It’s also the least secure. Are you willing to trade security for convenience?

E-mail clients are available for just about every computing platform we use, from cell phones to desktop computers. Web browsers are available for just about every computing platform we use as well. If an e-mail client isn’t available, using web mail is a good alternative.

There are other ways to authenticate without passwords. I don’t think any of them are any better than this. You don’t have to buy extra hardware or software to do it this way.

If a password isn’t used for anything but your e-mail account, you only have to remember that password, not dozens, hundreds or thousands for all the websites you have to log into to use.

I have choices to make with the CMS project I’m working on (off and on). If I make it for offline use only, uploading completed pages, authentication isn’t really necessary. If I make it work online as well, authentication is definitely necessary. The e-mail method is the only method I’ll use if I set up authentication.

July 17, 2017
Web Development

You May Also Like: