Mail-in Authentication: Password-less Authentication, Kinda

Given that practically every non-financial protected website I frequent offers password recovery or reset via email (forget your password?), I don't think passwords are even necessary for these sites. A time-limited security token issued through weekly or monthly email containing a URL with one-time password effectively removes the need for passwords.

I am calling it mail-in authentication for lack of a better name. The intention is to replace those 'signin' and 'login' buttons with 'mail-in' buttons and remove the password field.

This is how mail-in authentication would work from user experience point of view:

  1. User registers at the site by entering an email address.
  2. User opens the email and clicks on the authentication link.
  3. Site issues a time-limited token cookie containing user and device identity hints. User is signed in at this point.
  4. Next time User visits the Site, user signs-in automatically unless the token is bad or lost.
  5. When the token is not accepted for whatever reason (expired, failed validation, flagged as being used in a replay attack elsewhere, deleted, or roaming), User is returned to step 1.

Note that there is one password still needed, the one used to access email. That's where Kinda comes from. In this scheme, email password becomes the universal password of sort.

While I don't recommend this authentication scheme for web applications with medium to high security needs, I think it's acceptable for low level security needs. To meet roaming requirements, temporary session token can be issued automatically when access from an unknown device is detected.

Update:

Paul Madsen points out that latency, spam (more specifically chance of getting past spam filter), privacy concerns (giving out email) could make mail-in authentication unusable. Those are valid points but I've got a trick up my sleeve that'll cover those. I am just not ready to share it yet cuz I want to validate the UX flow with a prototype.

ActiveGrid on Eclipse

ActiveGrid is joining the Eclipse gang. Peter probably doesn't remember because he was too busy making the pitch but I advised him to consider building on Eclipse nearly two years ago. Maybe billing him for the advice might have made him take it more seriously. It was a serious mistake to not leverage all the momentum building up behind Eclipse.

Well, it's better late than never.

W3C Woes

Looks like W3C is still on it's downward spiral. I've had my own hits and bumps with W3C and it took me a long time to wash that W3C taste out of my mind. Looking back, I think what the world needs a more modern form of standardization process for technology related standards, one that supports incremental improvements and immediate deployment as well as ability to fix past mistakes.

As an engineer and an entrepreneur, I often have 'this needs to be standardized' moments. The need can vary in size from large to small and type from trail-breaking to fence-mending. Needless to say, the distance from such a moment to watching the printer spend an hour printing out the final recommendation is beyond bearable.

What I would like is a place where I can go to find others to quickly find others with similar interest then workout common solutions in weeks instead of years a W3C standardization process usually takes. Note that there is no process, just a place. The rest is left to the people to work out, somehow, driven by their needs.

The place is both a social network as well as a battlefield for de-facto standard makers, a place that depends on nimbleness of its occupants to make up for mistakes.

Missing Wife and Son

My wife and son are returning today from a long visit to Korea. Believe it or not, this annual visit was one of the things I promised when we married 14 years ago because she is very close to her parents. The trip is usually a month long but this time she was a way for half a month longer. Needless to say, I missed them both pretty badly.

I hope they arrive safely. I had a bad dream of my wife this morning, bad enough to call to delay her flight if she wasn't already airborne. Now I am so nervous that I can't focus on anything.

Update:

They arrived safely and smiling because the airline upgraded their seats to business class after she complained about something at the departing end. A bit of wisdom according to my wife:

In America, you are rewarded for being nice. In Korea, you get ignored instead. To get better service in Korea, you have to get nasty.

<

p dir=”ltr”>Rather sad but my experience agrees with hers. Until things improve, don't bother waiting in line when in Korea. Just go right up to the counter, ignoring those already there, and talk to the person behind the counter in a loud clear voice, even if the person is already talking to another customer. Note that some things are common across cultures. If you yell, 'I need a box of condoms!', you'll be stared at no matter where you are.

Battlefield Mushroom?

Israel is known for practical battlefield innovations but, gosh, I would hate to be the one wearing these silly looking camo covers designed to hide helmet outline. Maybe the intention is to shoot while the enemy is busy laughing.

P-P-P-Power Up!

WiMax, WiBro, Huh?

Sprint's plan to rollout WiMax with help from Intel, Motorola, and Samsung is making big waves this week. The news is even bigger in Korea. Watching an event unfold in two languages is confusing though. In Korea, the technology is called WiBro and is being presented as a technology developed mostly in Korea. In the US, it's called WiMax and Korea is only part of the picture. Hmm.

I think Sprint is not rolling out WiMax but Mobile WiMax which is called WiBro in Korea. WiMax and Mobile WiMax differs in that devices will work even while moving at fairly high speed. I don't know what, if any, advantages regular WiMax has over Mobile WiMax though. The exciting thing about Mobile WiMax is that it may eventually get fast enough to download a movie faster than I can drive to the nearest BlockBuster.

A funny bit: Qualcomm is synonymous with vampire in Korea because of all the royalties they made with CDMA. So Mobile WiMax is a sweet revenge of sort.

Regulazy: Visual Regular Expression Builder

Cool tool for .NET developers. Regulazy lets you build regular expression for extracting data simply by selecting ranges of text and assigning a name to each. Some hand-tweaking will be necessary for production use but it looks like a cool tool for lazy/practical developers. Too bad it doesn't generate Java regex.

MyEclipseIDE 5.0 Released

Final version of MyEclipseIDE 5.0 is out. FYI, 5.0 is the version to use with Eclipse 3.2. If you've been using 5.0M2 like me, you can update using Eclipse Update Manager.

Supposedly, MyEclipseIDE 5.0 is fully compatible with WTP. I dislike WTP's funky UI but most Eclipse-based tools with server-side functionality require WTP so this is important.

Chinese Millionaires

This morning I read an interesting Korean news article (Korean) about millionaires in china. According to the article, 91% of those with $10 millions or more in asset are close relatives of high government officials. Shocking, I thought. I couldn't find the chinese government report mentioned in the article though.

Syndicated Vulnerability

Looks like the blogosphere is rediscovering the security risk of subscribing to blog feeds which I last blogged about in Comment on Microsoft Embracing RSS. The risk is inherent and not limited to blog feeds but to all forms of syndication, including OPML. Simplicity of the carrier formats and wildfire-like nature of social technologies are the two primary risk amplifiers.

Starry eyed, we are drawn to bonfires like mash-up and AJAX, enchanted by the moment and forgetful of the dreary dawn. Too poetic? Then here is a controversial soundbite for entertainment:

AJAX and mash-up are like bath house orgies and RSS and OPML are like intravenous drug addictions.

<

p dir=”ltr”>It's not completely right nor completely wrong. Use as directed: as food for thought and not for furthering your arguments.