On 6/2/20 5:41 AM, Jesse Tayler wrote:
On Jun 1, 2020, at 9:40 PM, Ray Kiddy <r...@ganymede.org> wrote:
Somebody comes in to the app, I get their e-mail address and sent them an
"invite" into the app. This is exactly as secure as any password-storage system
that uses e-mail to reset passwords
This means the user has to invoke a new session by getting a link in email each
time they access?
Yes, but i also implement different expiration periods for links. So,
invites will expire after a day by default, but if the user requests
they can be provided with a link that will last longer, or it can be
made to not expire.
I suppose that link cannot be shared since it expires?
Yes, and the intention is that the link identifies the user, so one
would not want it to be shared.
I mean it sounds interesting, I am interested in what is going on with your
suggestion.
Just seems like sending around links that allow people to enter directly has
various dangers and complexities itself, and I wonder what the resulting
experience is and what the level of security is.
Isn’t this technically pushing the password back to your email login and isn’t
that really no different than the O-Auth or Apple sign in?
It is "pushing the password back to your email login" and that is the
point. Youe email login is one password. Almost all of the hundred or so
passwords I use can be reset by e-mail. But I have to track those
passwords, and no matter how clever they are about storing those
passwords and no matter how convulated they require those passwords to
be, the security of the system is _exactly the same_ as the security of
my email login password, and for no extra benefit.The illusion of extra
security that comes with some of these password schemes is probably what
bothers me the most.
Apple sign in is preferable to users because it is easy and doesn’t offer
private information to the site, Facebook login seems the same but is reversed.
Facebook login is there to let Facebook see where you login and when so it can
sell that data to advertisers.
A valid point. I have, however, come to point in my life where I no not
accept that there are bad corporations and good corporations. The "good"
corporations seem to always change their stripes when their profits are
threatened. So the Apple system is a problem for me, even though it
seems to be doing a good thing now. Do their Terms of Service say that
they will do things this way forever? Can you take back your information
if they change how they are doing things?
The idea of not using passwords at all is interesting, but I’m not sure this
would be what I’m thinking about.
I’m going to guess this is not a bank, but what sort of service uses this email
authentication and why was it implemented?
Well, to be honest, I can only use this for the apps I build that I
fully control. I do work for others and they don't get it and that is
fine. I deal. I worked for Paypal and I pretty sure they will not be
implementing this anytime soon. More's the pity. :--) One does what one
can do.
cheers - ray
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com
This email sent to arch...@mail-archive.com
