xkcd

[RThaiRThai]

tl;dr: There are some websites that I always forget the password for and end up using forgot my password every time. What if we used a system where you get sent a unique once usable log in link every time instead of passwords, but still give users the option to log in faster by entering their password if they so choose? And regarding OpenID; I love it, but the only site I use that has it is Slashdot.

I would like to know whether this idea already exists in a recorded form, whether it has been implemented, and whether it has been patented.

I have absolutely no intention of patenting this idea. I also hear many nasty stories about people who do not pay enough attention to patents getting sued. I have asked 2 of my friends and they think it is a good idea. If nobody replies, this is at least evidence that I had the idea this point in time in case it ever becomes relevant in the future.

Instead of supplying a password to login, a user will only suppy his email address. A link will be sent to the user's email account which may be used to log in only once, and will expire after a given period of time.

A user may alternatively log in using a regular password. A user may disable either login option.

This form of logging in means it will be possible for other users to spam a user's inbox if the user's email address is known. However, the user's inbox may be spammed if his address is known regardless of whether this system is enabled through traditional means.

This form of logging in is almost identical to reseting one's password upon forgetting it. The 2 main differences are that this implementation only allows the link to be used once, and it is presented in a way such that it is the primary means of loggin in.

I would like for this method of loggin in to become universal, or to replace Facebook connect, as Facebook connect is tied to 1 company whereas a mail server may be implemented by anyone with sufficient resources.

Please comment.

[Dthen]

Why would you want this? It doesn't add any extra security and it does add extra inconvenience.

[kmatzen]

Instead of supplying a password to login, a user will only suppy his email address. A link will be sent to the user's email account which may be used to log in only once, and will expire after a given period of time.

So, I would have to supply my email address, press the login button, navigate to my email service, login, wait for the email to arrive, open the email, click the link, and then delete the email before loggin into your site? This sounds like an awful user experience, especially when the SMTP servers get flooded with all these login emails and they become significantly delayed.

I would like for this method of loggin in to become universal, or to replace Facebook connect, as Facebook connect is tied to 1 company whereas a mail server may be implemented by anyone with sufficient resources.

This is what OpenID is for. In the end, sites choose Facebook Connect over OpenID since it allows sites to augment the experience with social networking data without actually getting access to that data and the liability associated with it. Some companies like Yahoo! and Google use OpenID so that they can sway customers over from their competitor without making them sign up for a new account. Last time I checked, you can use your gmail to login to Yahoo! products like Flickr. I didn't pay attention to whether or not that used OpenID, but the idea is still the same.

[RThaiRThai]

So, I would have to supply my email address, press the login button, navigate to my email service, login, wait for the email to arrive, open the email, click the link, and then delete the email before loggin into your site? This sounds like an awful user experience, especially when the SMTP servers get flooded with all these login emails and they become significantly delayed.

As I said, it is an optional feature. It is not meant to add security, or necessarily be faster. It does mean that there is 1 less password to memorize. SMTP servers getting flooded with these login emails is something I had not considered, but I do not believe the volume of login emails would be significant enough to slow down the servers.

This is what OpenID is for. In the end, sites choose Facebook Connect over OpenID since it allows sites to augment the experience with social networking data without actually getting access to that data and the liability associated with it. Some companies like Yahoo! and Google use OpenID so that they can sway customers over from their competitor without making them sign up for a new account. Last time I checked, you can use your gmail to login to Yahoo! products like Flickr. I didn't pay attention to whether or not that used OpenID, but the idea is still the same.

I am perfectly aware of OpenID, but I am also disappointed by how infrequently it is used. This method does not require a new id; most people already have email accounts and are required to provide them when signing up with websites. Using gmail to login to products is also not the same because that is tied to one specific email provider. I do not believe sites choose Facebook Connect over OpenID mainly for the social reasons, though I would not bet on that. I think it's because Facebook is common enough that it can be practically used.

I was just at Yahoo! and did not see OpenID anywhere.
https://edit.yahoo.com/registration?.sr ... hoo.com%2F

Update: I'm being stupid http://openid.net/get-an-openid/

The only popular site I know of that uses OpenID is Slashdot. I would like OpenID to gain popularity, but I get the impression that this would be easier.

[RebeccaRGB]

The only popular site I know of that uses OpenID is Slashdot.

LiveJournal also uses OpenID.

I don't use any of those universal login systems, though, just because I don't necessarily want everything I do online to be linked together. I like my relative anonymity. I would like to see OpenID gain popularity as well, though, because Facebook needs competition; their influence over the Internet has gone unchecked.

[Zamfir]

Why not save an email in your email account with your password on it? So if you want to login to that site, you can search your email for the relevant mail. Takes less steps for the user than your proposal.

[keeperofdakeys]

There are some sites that are doing single-use code logins, like hotmail.

[sircrayons]

Why not use a password manager like KeePassX or LastPass?

[RThaiRThai]

Why not save an email in your email account with your password on it? So if you want to login to that site, you can search your email for the relevant mail. Takes less steps for the user than your proposal.

I can see a slight advantage to what I propose. If your passwords are saved on your email and anyone ever, say, glances over your shoulder, they gain access to your account. If you change your password occasionally, that at least helps, but with the system I propose, the links are only usable once. Both have the risk of tying all your accounts to the security of one account, which I think is fine if we're talking about less important things like games and forums.

Why not use a password manager like KeePassX or LastPass?

Firstly, this is not about me managing my own passwords, it's about making accounts easier to manage for the people who use my website. I could recommend a password manager to them, but that's a tall task to ask of somebody signing up to your site compared to just making an account. I hate websites that ask you to download a special program to use them, and for the most part avoid them.

As for myself, I am considering using a password manager, but I haven't investigated them in depth yet. I am concerned about portability. If I use a password manager, will I still be able to effectively log in from other computers?

[SammyIAm]

This system actually has some appeal for me. There are definitely some sites that I use so infrequently (PayPal for example) that I have to reset my password every single time. And this solution wouldn't be any less convenient, and most likely slightly more convenient.

OpenID does take care of the "I can't remember the password" issue, but as RebeccaRGB pointed out:

...I don't necessarily want everything I do online to be linked together. I like my relative anonymity....

The reason I don't remember my password for these sites is because I rarely go there, and I don't necessarily want accounts there to be linked to an OpenID that I use for a lot of stuff. PayPal is good example here too, I may not want to have my OpenID that I use for all my social networking linked to my PayPal account.

There's technical limitations like spamming, but in reality I don't think they would be any more prevalent with this method than others.

[keeperofdakeys]

OpenID does take care of the "I can't remember the password" issue, but as RebeccaRGB pointed out:

...I don't necessarily want everything I do online to be linked together. I like my relative anonymity....

The reason I don't remember my password for these sites is because I rarely go there, and I don't necessarily want accounts there to be linked to an OpenID that I use for a lot of stuff. PayPal is good example here too, I may not want to have my OpenID that I use for all my social networking linked to my PayPal account.

There's technical limitations like spamming, but in reality I don't think they would be any more prevalent with this method than others.

The biggest risk is your openid provider trying to link together all the sites you visit. This is probably something that Facebook would do as well, with all its off-site logins. If you roll your own openid server, then the separate websites would have to compare notes to track you; this could be done with usernames and passwords today, although it would be slightly less effective.

[kalleguld]

Lifehacker does something akin to what the OP suggested.
If you want to post a comment, and you are not logged in, you just fill in your email address and write your comment.
Then you'll recieve a mail with a link, so they can confirm it's you, and after confirming, the comment is posted under your name.

[gorcee]

It's far simpler to have a fixed set of passwords for various applications where security really doesn't matter a lot.

I have a standard password, a modification on that password (for when password length requirements don't suit the original), and brute-force secure password (random combination of upper/lower/number/symbol).

I don't use any of these in anything that is sensitive. And let's face it, 95% of the stuff I do online isn't sensitive. Say you get my XKCD forum password. What are you going to do with it? Make some posts under my name making me look like a jerk? Hell, I do that well enough on my own. Even still, is that really the best use of anyone's time such that I have to care?

[Emu*]

Stackoverflow.com and other stackexchange sites use OpenID as one of their login options, with special shortcut buttons for those wanting to use google as their OpenID provider.

[fulldecent]

Passwords are a joke except for the 1% of sites users care about (gmail, banks, facebook). If you run a larger site, set a 100-year cookie when someone logs in (in addition to your normal session cookie, which times out as normal). Then track your login page:
* what percent of users that already have an account (100-yr cookie set) remember their password
* what percent of users that already have an account click forgot password and then login
* what percent of users that already have an account click forgot password and then leave
* what percent of users that already have an account give up and don't even try

Post your results if you are allowed, along with the sector and number of visitors per month.