(Yes, that is me on the left…)
Imagine you have some diamonds. Small, valuable and very, very desirable. You don’t want them to get nicked, so you lock them in a safe with a bloody massive key. Made of splendonium and other magical unbreakable materials. And then you take your splendonium key and you put THAT in ANOTHER safe, just to be sure. And you lock the second safe using the cheapest Yale lock you can find. In a fitting so loose that you don’t even need a credit card to slide the mechanism across. You could probably do it with a beer mat.
A security system is, rather obviously, only as strong as its weakest component. I am reminded of that wretched Verified by Visa thing where it looks rather like there’s a nice splendonium key that you have to use to confirm your transaction, but if you forget it, you only actually need to know your (or your victim’s) date of birth to generate a new one. So why not just ask for the sodding date of birth outright then and spare us all the pretence? (We know it’s some rubbish to do with perceived liability, but that’s not the point of this post.)
———
UPDATE 23 March 2013
It seems there have been some changes: a new version just popped up, asking me to repeat three fields of information I’d just given the vendor, and asking me to add date of birth. No more of that ridiculous, and often one-use, password. Somebody obviously thought a bit harder about the information flow. But it’s still a heap of shit.
———
So, back to the point. If there’s a short-cut through a system, making the best use of known information, why does the following STILL happen as a matter of course:
- I go to a website I visit very infrequently, say to buy some teabags.*
- It asks me to enter my email address. So far so good.
- It asks me for my password. Uh-oh. Not a clue.
- I click on the button marked “Forgotten password?”
- I enter my email address again on the next screen and click SEND.
- I go to my inbox and find the email.
- Best case, I can see the password there. Actually, it’s not that great a case, as I might just, carelessly, have used it elsewhere, and now it’s being sent over the Internet in clear. Hmm.
- Worst case, I get a link to trigger a password reset process, involving me going back to the site and picking a new one.
- Finally, I limp back to the site with my old/new password, log in, and try and remember what I was going there for. And I have to go through all this–with many password resets–every time I visit.
Not that great, really. And what was really going on, in logical terms? I was being asked if I had access to the email account I claimed to have. That’s all. The rest was all about their convenience–making me think I had some sort of special, sticky “membership” relationship with them–not mine. I just wanted teabags; not to be a sticky member.
So why not just design in that route–or a vastly simplified version of it–from the start?
Try this:
- I go to a website I visit very infrequently, say to buy some teabags.
- It asks me to enter my email address. So far so good.
- It offers me a choice–two options: “enter your password” (if you can remember it) OR “log-in via email”.
- Being no great fan of having a password for a site I barely use, I click the latter option.
- I go to my inbox and find the email.
- It’s only got one thing in it. A big fat link that I click to get straight back to the site, logged in, with all my previous purchases winking at me for a repeat order. No password change. No bother.
Am I missing something? Why doesn’t this happen everywhere, as a matter of course?
*Probably only William Heath who’ll spot the in-joke there…
ixda.org had a login via mail only option, there is an old discussion about it http://www.ixda.org/node/15282
Then I believe in the past year they switched to login+password option, I wonder why.
Genius
I think what you’re missing is intimated in your post – the login link is sent plain text, so anyone snooping the traffic can grab the link and log in as you, before you.
Agreed – that exposure does exist. But it exists any time there is a plaintext email loop which allows for password reset. Which is quite a lot of the time. We are talking about trivial shopping sites here, not personal banking or benefit claims. There is no personal data of any relevance at risk, and if payment credentials are being held in a retrievable format on the site we are looking at rather a bigger problem in any case.
As always, the measures should be proportionate to the risk. But when we’re talking about malevolently buying teabags in my name, or even posting some inflammatory comments in a forum, it’s not really that much of an issue, is it?
Ultimately, there’s always going to be the potential for exploits in the administration of one’s registration on a site, whether that be one-time impersonation, or wholesale locking out, by changing password and/or registered email address. In the latter case, my solution would require a harder approach to the “changing my registered email address” function than merely, erm, using the email address – perhaps through known facts or shared secrets challenge, but it’s hardly insurmountable – and would make the bulk of interactions vastly smoother. Which, after all, is the point of interaction design.
Sadly security is very rarely about what is good for the user, but about either limiting liability for the site, or more often getting enough detail to keep spamming you about teabags thanks to some misconception about how relationship marketing actually works.
Verified by Visa is even worse because it adds a step to the process for very little value (vs something like two factor auth which might actually make things more secure…)