Menu
Tried searching for this but turned up nothing. Discussion or relevant links are requested.
Suppose we are going to send an email to entice a user to login to our super social webapp. The goal of this email is to get them to return to the site and poke around a bit more before they forget us so naturally we want to lower the barrier to them returning. Cookies help in preventing them from needing to log in every time but still don't help in the case when the user has forgotten their credentials. We want instant gratification here--one click straight to the action baby. Instead, why can't we just send the user a hashed form of a randomly generated, time-sensitive token that we have stored in the DB? If they can supply this token back to the server then we can we trust their identity.
This scenario seems like it could be secure, as long as you managed the tokens correctly. The process would be something as follows:
Before sending the reminder email to John Doe, generate a random number token (a large enough number to prevent guessing) that expires after a few days.
In the email, include a url that contains a hashed form of the token (perhap xor with the user's ID).
When John Doe logs into his email and clicks on the link, the server verifies the existence of the token in the DB and that it isn't expired. If the token exists, he is automatically logged in by the server.
Security: We assume that the email for John Doe actually belongs to John Doe, if only because email addresses are verified as part of the registration process. Any user that has access to John Doe's email would be able to access his account; however, this isn't new. Many sites already assume that the user's email account is secure because they implement the feature to reset password to email.
My googling has turned up only one site that does this, OKCupid, which is an online dating site. Does anyone know of any other sites that do this? Why isn't instant login via email more common? Security? Lack of substantial benefit for the added complexity?
556
asked Jan 11 '11 03:01
The issue might be caused if the account settings are out-of-date, email password needs to update or the account that is set up on Windows Mail has been corrupted. You can try to reconfigure the settings first and check if you will still encounter the issue.
The most common cause is specifying an incorrect password. Two-factor authentication can interfere. A transition away from traditional username/password authentication could be at play. An account hack could mean your password is no longer valid.
In simple terms, it means to open a session with an already created account. For example, you can login to your Gmail using your credentials meaning you have already created an account with Gmail and your email ID and password is saved with them.
On some sites you can separate the "important stuff" from the "really, really important stuff". Let's say that the "important stuff" on your site allows users to view policies, active members and incoming group messages. The "really, really important stuff" allows you to change policies, reset passwords and add new users. So what you can do is as follows:
In essence you are building different trust levels within your system. The emails you send outbound to entice users are almost always for innocuous activities ("hey, check out the new widget we have added"), and if people wish to stay on the site then they won't mind the extra time for authentication.
167
If the user forwards the e-mail to a friend for any reason, then that friend could log in as the user.
37
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
