Simple authentication via email

Hi guys. Just wandering about the possible webapp auth methods - and they are plenty ;-). Everyone uses keys, hash algorythm, 2 step auth processing ... But the question remains - the user pass is present in the server db structure. Yes, its crypted, yes, its 99.99% secure .. But if an attacker gains access to it, there is a little possibility to gain access to it

But what if we dont have to use passwords ;-). See, if you have new pass every time you login ?

Suppose that is discussed before but let me show the steps:
 - user identificates with username or email address, like somename@noname.com
 - server gets the requested identificator, and IF PRESENT, generates a rand hash with ttl 1h /can be configured/ and stores internally, some sort of a temporary pass
 - mails /the mail address is retriven from the matched uname/ back to the user that hash, with a precomposed url, smth like the links for activation/forgotten pass
 - user clicks on the mailed link
 - after the server receives the link /id:hash/, checks in the db for a match
     -- if ok, authorises and clear that generated hash
     -- if not, clear that generated hash and redirect to the login ;-)

So basically we will have every time newly generated rand pass ;-) And whoever gains that auth url link, he will not be able to use it, because at the moment of authentication that very hash is cleared ;-).

All we need to protect is our mail address. But usign the old methods, if the attacker gains access to the user's mail, he can easilly change the pass from the 'forgotten pass' links, right ?

 

Сподели с приятел: Сподели в Twitter