Chat > Tech Chat

Automatic website login

(1/3) > >>

Weaver:
I wish that web browsers could just optionally log you in to certain websites without any prompts of any sort, either by injecting a username and password into the required form and then just hitting go-for-it or else by using some other purpose-built streamlined authentication protocol that is meant for a machine-to-machine conversation.

I know some people would go mad about security, but if it was off by default, had a per website on/off override and where you could have the options of (i) normal username and password entry, or (ii) the browser asks the o/s to authenticate user locally somehow (for example I have fingerprint reading now for this in my iPad before the browser will release the saved username+password combination), or (iii) just go for it. And the system ought to make it very easy for the user to change the settings by showing you a relevant control and locating the correct specific, per-website setting and the overall default behaviour preference setting. Also it should be very easy to delete the saved credentials. And finally there needs to be a temporary lock where you can engage an override where the system goes back to old behaviour (i) - for situations where someone else is lurking around and might gain access to your machine but you don’t want to have to lock it right now.

(This is only tolerable in a system that has a lock and identification of the user by the o/s and shell / UI login session manager, so that the browser can check and be assured that the user is identified and suitable locking practices are in force. If the user turns the overall ogin session lock off - no timeout, or has no password - or whatever then there should be a fail reported to the browser when it does a match against a minimum sane security policy level so the browser can then possibly warn the user and offer to switch to behaviour (i). It should be the user’s choice ultimately because the machine might be physically secured with no other users ever present.)

I’m really fed up with the number of times I have to log in to different websites again and again throughout the day. iOS Safari has also had a mad phase of offering me the wrong username combined with some password or other when visiting a certain site. Sometimes its the wrong username but that user does exist in that website. Sometimes I think that the cause is something like user-A at sub1.example.com vs user-A at sub2.example.com or user-A at example.com one level up, so a user that does exist but at the wrong website although it is a related one. And I think, I’m not sure, that you can persuade iOS Safari to pick a username+password forms completely irrelevant website and use that. It comes up with a nightmare long choice list because it shows you a list that contains all the websites in the world. This might be something to do with the browser having understandable difficulty when two URIs are in fact exactly the same website, especially www.example.com vs example.com, and you can’t get any help by comparing IP addresses either. I wonder if there is a spec for declaring some kind of canonical uri for the top level of websites? There ought to be. Could put it in headers and/or in the head section of (x)html.

niemand:
Use a browser extension like Last Pass?

Chrome already does this by the way. Uses your Google account to authorise you.

Weaver:
I have 1Password, but it seems to offer few advantages over the iOS built-in system in Safari. Also you then have to choose which subsystem to use which is yet another question to have to answer. I just wish Safari could be set up to bypass everything and let me get on with things.

sevenlayermuddle:
I’m no  expert in web design, let alone secure web pages that require login.   But isn’t permanency (is that a word?) of login down to the website designer?  I would imagine authors of websites that host valued data might feel they have a responsibility to require fresh login from time to time, simply to mitigate the damage if a device gets stolen, or some kind of cookie theft exploit is found?

Per the half-way house, ease of login, as opposed to permanent login, Apple’s Safari is the one I trust, login details being encrypted in iCloud keychain.   Like any other software, iCloud & keychain might one day be compromised but for all their faults, major OS vendors like Microsoft, Google, Apple, clearly employ good engineers, with management that have a strong incentive (reputation)  to provide funding to get these things right. 

I’d be less inclined to put my trust in a here-today/gone-tomorrow startup, no matter how good their product.   No implication intended as to pedigree of aforementioned 1password, of which I hold no opinion whatsoever, either good or bad. :)

Not that long ago, before OS support for native user-level encryption, many browsers would have stored passwords in plain text that could be easily retrieved from a stolen disk without needing to break any encryption or to crack any passwords at all. I assume all OS’s have moved on from that?

Weaver:
I think the answer is, it depends. The extreme is some corporate nazi sysadmin designer who imposes the will of the company in the users and to hell with what they want. Those users are not trusted to behave or be clued up about security.

The other extreme is where a designer wants to give users the best experience and users are trusted but defaults are wise in security terms. Also users who are not clued up are well catered for. Here users who make active choices are assumed to know what they are doing and are trusted and operating systems and the associated UI is assumed to be doing a good job in security terms in a well designed o/s where the user’s session is locked down well by the o’s and wheel reinvention by the browser is not required. Of course if the o/s is rubbish then the site designer or browser designer will feel they have to take additional measures.

Giving users control, convenience, trusting them and empowering them so that they get the best experience is a good thing. But obviously it’s no good if the user cannot be trusted and there is more than one scenario here. Safe defaults and configurability, in the second picture it seems to me that that’s the right way to go.

Navigation

[0] Message Index

[#] Next page