Great question! Some ideas include: key, freepass, sitecode, pin, sitepass, secret. Right now, I'm trying out the name Handshake. What do you think of it?
We are experimenting with a new form of login. Instead of passwords, the site and the visitor share a secret handshake anytime they need it. This link, or short bit of text is temporary. There's nothing to remember, forget, or have stolen.
Great question! Some ideas include: key, freepass, sitecode, pin, sitepass, secret. Right now, I'm trying out the name Handshake. What do you think of it?
The goal is to reduce the frustration, friction, and insecurity that come from weak, forgotten, and stolen passwords -- or, in other words-- to increase security, privacy, and trust.
Yes. And no. Facebook, Google, and a few other services dominate social, or federated, sign-on. While their system reduces some frustration, it compromises privacy and requires people to join a service (and all the terms that come with it) that they might not want.
No. Many sites use a cookie in your browser to keep you logged in between visits, so you don't need to do the handshake often. Good sites ask you if you want them to “remember me on this computer” or not.
This system allows you to use a password if you prefer it for your situation. It only sends the secret handshake if you don't have one. You can switch between using a password or not very easily.
In some ways, yes. But it's fleeting, temporary -- there when you need it, gone when you don't. Why don't we just call it a temporary password? Bad habits are hard to break. We need to tilt the paradigm, to change the conversation around privacy and security, to redesign the web we have and help build the web we want. This system favors getting rid of passwords as we know them.
This doesn't use new technology. Instead, it reframes a safe and common password recovery process. It rearranges existing experiences to help us avoid the weakest links in our security: weak passwords, vulnerable password storage, and passwords that somebody repeatedly uses on many sites. It is more secure than the most common current solution.
If they do that, all of your accounts are already vulnerable because of the “forgot password” link. This handshake system makes it more obvious that you must protect your email. And, using more handshakes and fewer passwords makes it more likely that your password for your email will be unique and strong.
Soon, yes. There's no reason you can't have your handshake sent to you via email or text or both. In theory, we could send it anywhere, even to a URL that triggers your arduino login sidekick.
You could, by using text messages to receive your handshake. Vital sites with email, health records, and bank and credit card info should probably use "two-factor authentication." In other words, they should require a password and a handshake of some form.
Uh, maybe? But remember: security at the expense of usability, comes at the expense of security. If a system is impractical, people will find shortcuts that make it less secure.