1 With many users no longer having an openid account, and Persona seeming to
2 be dying on the vine, and no other replacements looking very likely (except
3 for Oauth type stuff perhaps), it would be good to have a new easy way to
4 log into ikiwiki, that doesn't need pre-registration.
6 Importantly, I want something that is not going to go
7 the way of openid in the future. I think that email is here to stay; at
8 least anyone who wants an email address is going to be able to get one in
9 the forseeable future. (Google and large providers are making it harder to
10 run small email systems, but it's still very possible, and there are at
11 worst many large providers.)
13 I've read about email being used for login auth, and seen it once or twice.
14 While I can't remember any links right now, the basic idea is:
16 1. user enters email address into form
17 2. response page says "a login link has been emailed to you"
18 3. user opens email and clicks login link
19 4. user is logged in until the cookie expires or is cleared
21 A few points to make this more secure:
23 * Only 1 login link should be active at a time; old ones won't work to log in.
24 * A login link is only valid for a single login. Once it's used, it cannot
25 be used to log in again.
26 * A login link is only valid for a certain period of time. 24 hours seems
27 like more than enough, and 12 hours would probably be plenty too.
28 This timeout means a user doesn't need to worry about their email
29 archives being used to log in.
31 Still, this could be attacked:
33 * If an attacker can access a user's inbox, they can generate a new login
34 link, and log in as them. They are probably busy draining their bank
35 account by this method and not logging into some wiki though.
36 * If TLS is not used for the email transport, a MITM can snoop login links
37 and use them. Again probably more lucrative ways to exploit such a MITM.
38 * If https is not used for the login link, a MITM can intercept and proxy
39 web traffic and either steal a copy of the cookie, or use the login
40 link themselves without letting the user log in. This attack seems no
41 worse than using password authentication w/o https, and the solution is
43 * If an attacker wants to DOS a wiki, they can try to get its domain, IP,
44 whatever blacklisted as a spam source.
46 These attacks don't seem worth not doing it; many of the same attacks can
47 be performed against openid, or passwordauth. Eg, reset password and
52 * Use the email address as the username.
53 * Sanitize the email for display in recentchanges etc.
54 * The login link should be as short an url as possible, while containing
55 sufficient entropy. Some email clients will let the user click on it,
56 but some users will need to cut and paste.
57 * The `adminemail` config setting has a bit of overlap with an `adminuser`
58 set to an email address. Probably worth keeping them separae though;
59 the `adminemail` is an email address to display, and we may not want to
60 let anyone who can read the adminemail's mailbox to log into the wiki.
61 * Will want to make passwordauth reject registrations that contain `@`.
62 Otherwise, someone could use passwordauth to register as a username that
63 looks like an email address, which would be confusing to possibly a
64 security hole. Probably best to keep passwordauth and emailauth accounts
66 * Currently, subscription to comments w/o registering is handled by
67 passwordauth, by creating a passwordless account (making up a username,
68 not using the email address as the username thankfully). That account can be
69 upgraded to a passworded account if the user follows a link in comment
70 mails to login. So there is considerable overlap between that and
72 * Adapting the passwordauth reset code is probably the simplest way to
73 implement emailauth. That uses a CGI::Session id as the entropy.
75 Thoughts anyone? --[[Joey]]