

Password-less login that ONLY requires an email address [pdf] - nickb
http://isrl.cs.byu.edu/pubs/pp1001.pdf

======
dgl
Jabber/XMPP already has something similar, XEP-0070:
<http://www.xmpp.org/extensions/xep-0070.html> (and there's an openid gateway
at <http://openid.xmpp.za.net/>)

I think doing this sort of thing over IM makes much more sense than email.

------
chengmi
Of the four obstacles addressed in the paper (Latency, Lack of privacy,
Convenience, and Reliance on a 3rd party), I think Convenience is the main
killer of this technology.

Chase Bank implements something similar to SAW. Whenever I log into Chase, the
server checks my current IP against my previous login IP. If the IP addresses
differ, they e-mail me a token which I need to enter along with my password to
enter the site. I say from experience that this is annoying as hell.

While authenticating over an IM protocol still has its obstacles (Privacy and
Reliance), the Latency and Convenience issues become more tolerable.

One potential problem I see with this system (which is not as applicable today
as it was a few years ago) is ability to support users without an e-mail
address or IM identity. Can site owners safely assume that everyone has an
e-mail address in this day and age? How about IM?

------
joseakle
interesting but, what if an attacker knows your email password, then he can
control your whole life right? because there is just one password (your
email's) for which all your access to websites depend on.

or, should i read this as a joke?

~~~
nickb
If an attacker knows your email password than NOTHING can save your privacy!
Even if you rely on all kinds of security techniques on your site (SSL,
cookies, sessions etc), if someone has your email password, they can retrieve
your website password through numerous techniques.

This paper is not a joke. Far from it. It's just that it relies on a custom
server.

