[cap-talk] Webkeys vs. the web
Stiegler, Marc D
marc.d.stiegler at hp.com
Mon Mar 23 14:29:32 EDT 2009
One of the perils of proposing an idea is that it grows on you :-) I have the follwing additional observations on adopting a streamlined version of the "forgot your password protocol".
One objection might be, "suppose the user's only mailbox is a non-browser app like Outlook, so the user doesn't have access to his email from the remote machine he's trying to use?" Well, I hypothesize that a person with only Outlook is a one-machine-only user, who could have his bookmarks easily handy, because I hypothesize that a user-of-multiple-machines would, as his first action, get a browser-based email account.
One observation is that, one could send the webkey to an email account as part of the signon. Then for a typical user (well, for me, anyway), I could retrieve the webkey from my email system without going to the logon page at all, I would just get it from my email archive.
> In this case, suppose we take a page from the "Forgot your
> password?" folks. Have a public memorable page into which you
> simply type your email address, and the system sends an
> appropriate webkey to that email. Then you log into your
> email account using the email system signon-password, and
> click the link in the new message. This way, you are not
> adding yet another !@#$ password to the poor user's woes.
More information about the cap-talk