12 Nov 2016 - by 'Maurits van der Schee'
Every site nowadays has a username/password login and that is problematic. Google plus and Facebook OAuth2 login exists, but it's coverage is not 100% and there are privacy concerns. Luckily there is an alternative that has 100% coverage and no privacy concerns. So, let's stop using passwords. This post will explain how.
Your login form should be:
Email: __________ [OK]
That's it! You will receive an email containing a link that you can click to be logged in. The link contains a JSON Web Token (JWT) with the claims "username" and "ip" and is signed by the website with a user specific secret (generated password).
First thing people say. They are afraid that their users are getting spammed with authentication links. Good point. Do you have a password recovery feature? Indeed, I thought so. That works the same. So this is not a problem introduced by not having a password. And remember: you don't have to send your users a new authentication link as long as the previous one has not yet expired (not more often than once per expiry period).
SMTP uses SSL nowadays on port 465. And even if the token were intercepted, then the token is still signed and can thus not be altered. Since the token contains an IP address it can then only be used by an attacker that is on the same Internet connection. And as a bonus the warning "Be careful not to login to sites without SSL" is losing some of it's relevance, as there are no passwords transmitted.
This approach can easily be copied to use mobile phone numbers instead of email addresses. An SMS message can transport the link. Note that the login form can easily detect the difference between a mobile phone number and an email address and choose the appropriate channel. This allows people to have either a mobile phone number or an email address as their username.
There is no reason to continue to use passwords. The above system can be used in parallel with an existing username/password system (the password can be used as secret). I actually implemented this functionality in the NoPassAuth class of the MindaPHP web application framework. You can see it in action on the demo site below.
Go to the MindaPHP Demo Site - NoPassAuth Example