Email-based Authentication

From a user's point of view, OpenID works something like this:

1. You browse to a site you like that uses OpenID, and click the "login" button
2. You enter your OpenID
3. You are redirected to the site that authenticates your OpenID.
   Note: You may be asked to login with a username and password for that site if you haven't done so recently.
4. You are redirected back to the original site you browsed to, and are automatically logged in

Today I got to thinking that this is quite similar to how the "reset my password" link on most websites works:

1. You browse to a site you like, and click the "reset my password" button
2. You enter your username or email address
3. You Alt+Tab to your email client, or Ctrl+Tab to your web-based email client.
   Note: You may be asked to login with a username and password for your email server if you haven't done so recently.
4. You Alt/Ctrl+Tab back to the original site you browsed to, paste in the newly generated password, and are logged in

In OpenID terms, I guess this means that email is a relying party.

Which makes me wonder: if a browser plug-in could automatically receive, extract and paste replacement passwords from emails, we'd get most of the benefits of OpenID without any adoption issues. Thoughts?

Hello, I'm Paul Stovell

I'm a Brisbane-based software developer, and founder of Octopus Deploy, a DevOps automation software company. This is my personal blog where I write about my journey with Octopus and software development.

I write new blog posts about once a month. Subscribe and I'll send you an email when I publish something new.

Subscribe