When I forget my password, don’t use my email to confirm that I have authority to reset it, use my email to log me in. Just treat an email address as a flavor of Open ID and we’ll all get along fine.
I don’t even save passwords for a lot of sites. I auto-generate a new random password, use it to login or create the account, and use password recovery by email whenever the site logs me out.
You are not alone – http://gondwanaland.com/mlog/2007/09/11/passwordless/
I presume the system you envisage goes like this:
1) “Click here to log in via a URL e-mailed to you”
2) Wait for e-mail
3) Click URL in e-mail
4) Now logged in (via other window)
5) Refresh/visit other page to find one is now logged in
Sounds like a reasonable idea and probably convenient for those with rapid e-mail delivery.
Precisely.
It seems completely doable to me.
A couple of other points for implementors:
a) For browsers without even an expired session, obviously the user would first have to type in an e-mail address (of a registered user).
b) To reduce phishing, the e-mail should contain something (a private name say) that only the genuine site would know about the user.
c) The e-mailed login-URL should work only once and have a short expiry time, e.g. 15mins.
d) Change of e-mail address may require password as well as veto e-mail to old address, and validation e-mail to new address.
This is one step away from being the most laziest personal online security model. The laziest is letting your browser and operating system remember your passwords. Yours has the lower risk profile, if your email password isn’t also remembered by the app.
It is incredibly lazy. Which is important for sites that need users to create accounts, because users go away in droves when they get a screen that makes them login or create an account.
It’s no less secure than any account which uses email for password recovery — there is no new vulnerability. It’s more secure in a way because the password doesn’t have to be memorable and the password doesn’t get written down.