Email-based Authentication
This is an old post and doesn't necessarily reflect my current thinking on a topic, and some links or images may not work. The text is preserved here for posterity.
From a user's point of view, OpenID works something like this:
- You browse to a site you like that uses OpenID, and click the "login" button
- You enter your OpenID
- You are redirected to the site that authenticates your OpenID.
Note: You may be asked to login with a username and password for that site if you haven't done so recently. - You are redirected back to the original site you browsed to, and are automatically logged in
Today I got to thinking that this is quite similar to how the "reset my password" link on most websites works:
- You browse to a site you like, and click the "reset my password" button
- You enter your username or email address
- You Alt+Tab to your email client, or Ctrl+Tab to your web-based email client.
Note: You may be asked to login with a username and password for your email server if you haven't done so recently. - You Alt/Ctrl+Tab back to the original site you browsed to, paste in the newly generated password, and are logged in
In OpenID terms, I guess this means that email is a relying party.
Which makes me wonder: if a browser plug-in could automatically receive, extract and paste replacement passwords from emails, we'd get most of the benefits of OpenID without any adoption issues. Thoughts?