[WEB SECURITY] Password-less login ?

Nick Nikiforakis nikiforakis.nick at gmail.com
Mon Jan 28 13:19:59 EST 2013


Glen,

Check out this paper that advocates the use of such identifiers instead of
session cookies and other ambient credentials:

Web-key: Mashing with permission
http://w2spconf.com/2008/papers/s4p2.pdf

It addresses the 4 things that Michael listed and
it's generally a very pleasant read

Cheers
Nick

On Mon, Jan 28, 2013 at 6:55 PM, Michal Zalewski <lcamtuf at coredump.cx>wrote:

> >
> https://someserver.com/login/a4337bc45a8fc544c03f52dc550cd6e1e87021bc896588bd79e901e2
>
> In general, there are four things to be aware of:
>
> 1) Credentials encoded in the URL are very easy to accidentally leak
> in any outgoing Referer headers, in screenshots, etc. This can be
> mitigated, but it's also easy to mess things up.
>
> 2) Credentials encoded in the URL will by default end up in the logs
> of the HTTP server - although again, this can be fixed. They may also
> get recorded by various proxies, AV tools, browser toolbars, etc -
> which is a bit harder to contain.
>
> 3) The user will be dependent on having access to bookmarks or some
> other way to retrieve that URL to be able to log in from a particular
> computer, since it's impossible to remember; and if his bookmarks are
> deleted or corrupted, you will need to deal with account recovery. If
> you are willing to put up with this, you may also want to consider
> client SSL certificates or so as an alternative form of
> authentication.
>
> 4) Since all the information needed to access the account is stored on
> the computer, any system compromise can be used to recover the access
> token immediately, rather than waiting for the user to interact with
> the targeted site. This may or may not matter.
>
> /mz
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130128/72111aca/attachment-0003.html>


More information about the websecurity mailing list