sign up with or link email address

[chadwhitacre]

Sign-up would enable a greatly expanded userbase.

Link would enable notifications (see, e.g., #88; see also #73 for GitHub notifications).

[chadwhitacre]

(Note to self) Read this:

"Why passwords have never been weaker—and crackers have never been stronger"

http://arstechnica.com/security/2012/08/passwords-under-assault/

[lyndsysimon]

I believe this could be done entirely without passwords.

Option 1: When a user tries to log in, send an email with a login token. Expire the token in an hour or other reasonably short time frame. Note - email is insecure and can be eavesdropped, but most sites already implement email-based password recovery, so this is in theory no less secure.

Option 2: When a user tries to log in, send an email with a login token and display a randomly selected dictionary word on the site (via SSL). Require the user to enter this word after they use the email link. This increases the difficulty of logging in somewhat, but as far as I can see actually offers improved security over a traditional password-based system.

[chadwhitacre]

You're ahead of your time, @lyndsysimon. Just saw this on HN:

Most web sites ask for a password when you register. After logging in, you can access the site until your session expires. When you forget your password, you can request an email with a link to a password change form.

NoPassword factors out the password from this process. You register with an email address and receive a link that gives you a session on that browser until you log out. If you ever need to log in from somewhere else, you can request another email with a link that will log you in wherever you are.

https://nopassword.alexsmolen.com/

[lyndsysimon]

I wish I could take credit for it, but I read about it a few months ago and couldn't find the reference.

The eavesdropping issue is real, though. Recovery emails aren't sent very often, but if websites used that for login regularly I'm afraid that email interception for the purpose of obtaining login tokens would be much more common. You could limit it by IP as well, but nothing is going to be as secure as a pre-shared secret (like a password).

ETA: the link you provided verifies IP.

[lyndsysimon]

Actually, now that I'm considering it, limiting the login token to a single IP might do the trick. It's transparent to the user, and while an attacker can spoof source IPs I don't belive th would be able to see the returned (via SSL) authentication cookie since it isn't routed to the them.

You'd have to do a man in the middle attack, and if you can do that you can hijack a traditional login session as well.

I'm going to consider writing a proof-of-concept module for Flask (and maybe Aspen) that does this, and see if anyone can tear the idea apart. It's slightly above my level of technical competence, but within reach.

[singpolyma]

This feature makes me uncomfortable. Especially if passwords are involved.

Email verification for login is a bit better than passwords, but since I'm not sure what problem this feature would be trying to solve, I'm not sure if that would be acceptable.

[ironchefpython]

I'm not sure what problem this feature would be trying to solve, I'm not sure if that would be acceptable.

There exists a set of people who have nothing to say on twitter, and who do not contribute to open source projects hosted on github. Should these people not be allowed to tip, or should they be required to sign up for a github account that they will never use again?

The eavesdropping issue is real... [but email isn't] going to be as secure as a pre-shared secret (like a password).

I would suggest that gmail with two-factor authentication is going to be more secure than anything you can easily hack up, especially since you need a password reset mechanism, and most people use email for that purpose. (so as long as you're using it as a backup authentication mechanism, why not go all the way and use it as the primary?)

[chadwhitacre]

In our first exercise in fraud prevention (#329), the vitality of linked Twitter and GitHub accounts has been the determining factor in suspending accounts. Since measures of vitality are not similarly associated with email accounts—I can't publicly see your social network graph given your email address—it seems that email-only registrations would make it harder to detect money laundering. Therefore, I suggest that we allow linking an email address to an existing Gittip account, but don't allow creating a new Gittip account using only an email address.

[chadwhitacre]

+1 from @lindsayp.