[cap-talk] Webkeys vs. the web

Stiegler, Marc D marc.d.stiegler at hp.com
Mon Mar 23 14:29:32 EDT 2009

One of the perils of proposing an idea is that it grows on you :-) I have the follwing additional observations on adopting a streamlined version of the "forgot your password protocol".

One objection might be, "suppose the user's only mailbox is a non-browser app like Outlook, so the user doesn't have access to his email from the remote machine he's trying to use?" Well, I hypothesize that a person with only Outlook is a one-machine-only user, who could have his bookmarks easily handy, because I hypothesize that a user-of-multiple-machines would, as his first action, get a browser-based email account.

One observation is that, one could send the webkey to an email account as part of the signon. Then for a typical user (well, for me, anyway), I could retrieve the webkey from my email system without going to the logon page at all, I would just get it from my email archive.


> In this case, suppose we take a page from the "Forgot your 
> password?" folks. Have a public memorable page into which you 
> simply type your email address, and the system sends an 
> appropriate webkey to that email. Then you log into your 
> email account using the email system signon-password, and 
> click the link in the new message. This way, you are not 
> adding yet another !@#$ password to the poor user's woes.

More information about the cap-talk mailing list