[WEB SECURITY] Password-less login ?
nikiforakis.nick at gmail.com
Mon Jan 28 13:19:59 EST 2013
Check out this paper that advocates the use of such identifiers instead of
session cookies and other ambient credentials:
Web-key: Mashing with permission
It addresses the 4 things that Michael listed and
it's generally a very pleasant read
On Mon, Jan 28, 2013 at 6:55 PM, Michal Zalewski <lcamtuf at coredump.cx>wrote:
> In general, there are four things to be aware of:
> 1) Credentials encoded in the URL are very easy to accidentally leak
> in any outgoing Referer headers, in screenshots, etc. This can be
> mitigated, but it's also easy to mess things up.
> 2) Credentials encoded in the URL will by default end up in the logs
> of the HTTP server - although again, this can be fixed. They may also
> get recorded by various proxies, AV tools, browser toolbars, etc -
> which is a bit harder to contain.
> 3) The user will be dependent on having access to bookmarks or some
> other way to retrieve that URL to be able to log in from a particular
> computer, since it's impossible to remember; and if his bookmarks are
> deleted or corrupted, you will need to deal with account recovery. If
> you are willing to put up with this, you may also want to consider
> client SSL certificates or so as an alternative form of
> 4) Since all the information needed to access the account is stored on
> the computer, any system compromise can be used to recover the access
> token immediately, rather than waiting for the user to interact with
> the targeted site. This may or may not matter.
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity