9 Replies - 677 Views - Last Post: 16 April 2020 - 12:14 PM

#1 drakedemon   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 29-December 09

Passwordless authentication with a twist

Posted 16 April 2020 - 06:05 AM

Most of us think of magic links when we hear "passwordless", but I'm trying out a different approach. What if we require our users to SEND an email for authenticating?

I've been experimenting with this idea recently and actually got around to building a prototype. This system will work as a SaaS (similar to Auth0) aimed at developers to implement authetication in their sites/apps.

The concept is pretty simple. Use mailto HTML links to open the default email app prefilled with a generated auth code. User then taps send, waits for the email to be processed and he's in.

There are some pretty cool benefits to this method:

- user doesn't have to type in not even their email addresses (infered from the received email)

- most email clients also send firstname/lastname with the email address, so signing up to a website that requires email, firsname, and lastname simplified

Spoof protection is done via email DKIM.

Here's a gif with how this works:

[Imgur](https://i.imgur.com/RhgsNzD.gifv)

If you want to try it out for yourselves, here's the website

mod: spammy link removed

What do you guys think? Is this something that could catch on? Is it a viable alternative to existing systems?

This post has been edited by modi123_1: 16 April 2020 - 08:34 AM


Is This A Good Question/Topic? 0
  • +

Replies To: Passwordless authentication with a twist

#2 modi123_1   User is online

  • Suitor #2
  • member icon



Reputation: 15743
  • View blog
  • Posts: 63,068
  • Joined: 12-June 08

Re: Passwordless authentication with a twist

Posted 16 April 2020 - 08:41 AM

Nice astroturfed ad. *shrug* So it goes.
Was This Post Helpful? 0
  • +
  • -

#3 drakedemon   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 29-December 09

Re: Passwordless authentication with a twist

Posted 16 April 2020 - 08:52 AM

Sorry about the link, I thought maybe it wouldn't count as spam/ad since I'm not trying to sell anything (yet). The website in a rough draft, as I'm currently working to a functional prototype.

I left it here, because maybe people wanted to try the test button to see for themselves how it works.
Again, apologies.

I'm just trying to get some feedback on this proof of concept.
Was This Post Helpful? 0
  • +
  • -

#4 astonecipher   User is offline

  • Enterprise Software Architect
  • member icon

Reputation: 3136
  • View blog
  • Posts: 11,945
  • Joined: 03-December 12

Re: Passwordless authentication with a twist

Posted 16 April 2020 - 09:07 AM

And you are using what to prevent spoofing? Not that difficult to fake an email, which is why companies spend so much time combating it and I have seen some really legit forgeries.

My preference, is how MS does the MFA. We use this and it's great as long as you actually have your device.
Was This Post Helpful? 0
  • +
  • -

#5 Ornstein   User is offline

  • D.I.C Head

Reputation: 103
  • View blog
  • Posts: 210
  • Joined: 13-May 15

Re: Passwordless authentication with a twist

Posted 16 April 2020 - 09:29 AM

(I'll just leave this here for the sake of the discussion:)

I'd likely never use this in production, but it is an interesting idea.

"mailto" links don't always work; I for example don't have a mail client installed. From a UX perspective, that's pretty much an immediate dealbreaker for me.

Not all servers may support DKIM. You may well have users whose email provider doesn't use SPF or anything else either.

The fact that a server supports DKIM doesn't guarantee anything by itself. The server may use weak keys - or may have any other number of implementation/configuration faults that can be exploited to forge mail (and this is a lot more common than you might imagine), etc.

When your own server/software is verifying the mail, you'd need to be confident that your implementation is aware of and solves for all these potential weaknesses (partially-signed mail, duplicated headers, etc.)

To give a simplified example of a potential attack:

Spoiler


Obviously there's ways (with some degree of certainty) to protect against this sort of thing; you just have to make sure you do it.

Also, this creates a paradigm where the security of the service more so depends on the security of (some large number of) external servers beyond your control - rather than the usual paradigm where you can force users to use unique and complex passwords, you can choose the most secure hashing algorithm, etc.

There's also questions around the disconnect between who sends the email and who the website authenticates when it receives the email i.e. you'd need to guarantee (and I'm not entirely sure you ever could with 100% certainty) that the person who sends the email with the authentication code, is the person waiting to log in on the website. To give another example:

Spoiler


Again, you can protect against this sort of thing to a certain extent, but I think there's always going to be that last 2% you can't quite squeeze out.

For example, there's always going to be the issue of someone leaving their email account logged in on a public computer or having their phone stolen/borrowed/etc; whereas normally there could/would be measures to prevent a thief/hacker logging into everything, they're now able to do so just by virtue of having access to the email account.

As an extension of the above: It's generally accepted as good security practice for people to protect various accounts with multiple passwords/etc, but by definition this paradigm promotes having a single password (the email password) be responsible for access to multiple accounts.

(I know that some services will let you do the above anyway through password resets, but they at least have the option of prompting for a memorable name or some other secret.)

That's just some thoughts off the top of my head.
Was This Post Helpful? 2
  • +
  • -

#6 jon.kiparsky   User is offline

  • Beginner
  • member icon


Reputation: 11958
  • View blog
  • Posts: 20,289
  • Joined: 19-March 11

Re: Passwordless authentication with a twist

Posted 16 April 2020 - 09:32 AM

Okay, so before getting into the technical stuff, you have a name collision: https://github.com/s...a-authenticator


Okay, so what you're proposing is that a user wants to authenticate to a website, and they should do this by sending an email from their email account to the website.

In what way does this count as authentication? I can send emails apparently from any address I like. If I send you an email, and you can read it, that is reasonably strong assurance that you have access to that account (either legitimately or otherwise). If I receive an email with your name in the sender field, that is reasonably strong assurance that someone in the world (or some process, more likely) sent an email to me.
Was This Post Helpful? 0
  • +
  • -

#7 drakedemon   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 29-December 09

Re: Passwordless authentication with a twist

Posted 16 April 2020 - 09:33 AM

View Postastonecipher, on 16 April 2020 - 10:07 AM, said:

And you are using what to prevent spoofing? Not that difficult to fake an email, which is why companies spend so much time combating it and I have seen some really legit forgeries.

My preference, is how MS does the MFA. We use this and it's great as long as you actually have your device.


Using DKIM to make sure the email is indeed coming from the said domain.
Was This Post Helpful? 0
  • +
  • -

#8 astonecipher   User is offline

  • Enterprise Software Architect
  • member icon

Reputation: 3136
  • View blog
  • Posts: 11,945
  • Joined: 03-December 12

Re: Passwordless authentication with a twist

Posted 16 April 2020 - 09:49 AM

That proves the email came from the correct domain, not the correct sender. So if I want to masquerade as George in accounting, I can still be verified as George.
Was This Post Helpful? 1
  • +
  • -

#9 Salem_c   User is offline

  • void main'ers are DOOMED
  • member icon

Reputation: 2456
  • View blog
  • Posts: 4,603
  • Joined: 30-May 10

Re: Passwordless authentication with a twist

Posted 16 April 2020 - 09:54 AM

How is this any different to
- visit website
- click on "forgot password" link when trying to sign in, enter email address.
- click on the emailed link with the magic cookie.
- type in a new password.
- voila, logged into site.

All you're doing is acknowledging that the password is useless, so just forget it exists and just re-use the machinery for the 'forgot password' as the means of logging in.

It's about as safe as email - which isn't safe.
If someone were to intercept the 'login link' email message, the jig's up.
Was This Post Helpful? 1
  • +
  • -

#10 drakedemon   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 29-December 09

Re: Passwordless authentication with a twist

Posted 16 April 2020 - 12:14 PM

View Postastonecipher, on 16 April 2020 - 10:49 AM, said:

That proves the email came from the correct domain, not the correct sender. So if I want to masquerade as George in accounting, I can still be verified as George.


Most email servers won't allow you to do that. And there's a pretty small chance you're in a domain that does. And that you want to impersonate George :)

But you are right, this method is not 100% safe.

View Postjon.kiparsky, on 16 April 2020 - 10:32 AM, said:

Okay, so before getting into the technical stuff, you have a name collision: https://github.com/s...a-authenticator


Okay, so what you're proposing is that a user wants to authenticate to a website, and they should do this by sending an email from their email account to the website.

In what way does this count as authentication? I can send emails apparently from any address I like. If I send you an email, and you can read it, that is reasonably strong assurance that you have access to that account (either legitimately or otherwise). If I receive an email with your name in the sender field, that is reasonably strong assurance that someone in the world (or some process, more likely) sent an email to me.


You prove that you have access to that email account :).
Wouldn't worry about that name collision.

View PostSalem_c, on 16 April 2020 - 10:54 AM, said:

How is this any different to
- visit website
- click on "forgot password" link when trying to sign in, enter email address.
- click on the emailed link with the magic cookie.
- type in a new password.
- voila, logged into site.

All you're doing is acknowledging that the password is useless, so just forget it exists and just re-use the machinery for the 'forgot password' as the means of logging in.

It's about as safe as email - which isn't safe.
If someone were to intercept the 'login link' email message, the jig's up.


You are basically describing magic links (which will be a fallback to this solution). Which btw, are more safe than passwords :)
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1