You go to the web site the first time. They ask you to create an account using an email address. You enter it. They send you a URL to log in for the first time. You go to your email and click on the URL. That page gives you a long-lived cookie, so you don’t have to log in again for as long as possible. A couple years would be fine.
From that point on you go through the password recovery process any time you’re in a position where you would need to log in again. Let’s say you go to the web site from a new computer where you don’t have the cookie. It needs you to log in. In the login form you enter your email address without first going through the “lost your password?” link. You then go to your email to get the link they sent you, and then you click on it.
This is only different from always just recovering your password in that the login dialog is optimized to make the password recovery process shorter. For example, the login dialog might have an extra button added which sent the URL to your email account.
This wouldn’t be any less secure than current processes, since your password security is never stronger than your email account anyway. It would actually be more secure, since you wouldn’t have a guessable or stealable password introducing an additional point of vulnerability.
I am thinking about this because Facebook constantly makes me log in, and I don’t care about it enough to memorize that password.
Or, login with your IM address or mobile number, and use the IM / SMS message to kick-off the verification. Maybe even faster / more reliable than email.
With the OpenID-like stuff I worked on a few years ago, the idea was to translate your identifying URL into a Twitter-like verification step, e.g., you just enter your URL to login, and the verification step goes through web, email, IM or SMS, depending on what’s best for your own needs / concerns.
Jay — yeah, that’s right in the same bag. Take advantage of whatever credentials you already have, rather than issuing yet another set of credentials.
Though the OpenID stuff hasn’t taken off yet, probably because like all protocols it’s a boil-the-ocean problem.
“probably because like all protocols it’s a boil-the-ocean problem”
Yeah, it get talked about that way. Although, maybe it needs only a combo-meal solution.
What’s neat about the login with email or login with IM ideas is that they’re point towards a combo-meal kind of model, e.g., you already are going to have a verified identity on one system, why not get some single sign-on thrown in the box.