/    Sign up×
Community /Pin to ProfileBookmark

Is this a viable method for securing user accounts without passwords?

Copy linkTweet thisAlerts:
Mar 16.2019

I stumbled upon a method for securing user accounts without a password and want to know if it’s viable. I don’t have any formal programming education or professional experience, or know any developers personally, but have been practicing and learning independently through the web for about 7 years. It’s very difficult for me to know what information I’m missing though, and I would appreciate constructive feedback.

I’m working on a PHP based project and it’s the first time I’m implementing an email verification system. I had already implemented a “remember me” feature which was going to use a cookie essentially as the password to grant that device access to the user’s account, and this cookie was also stored in a database with a browser fingerprint of the device it was set on. I was also requiring users to have a valid, active email to create an account for the purpose of email verification, and it was through this email that I was associating the cookie on their device with access to their account. And then I dropped the “passwordhash” column from the “accounts” table and deleted all references to “password” from my code.

Next I gave the user control over the cookies which grant access to their account. The user’s account page displays all cookies which grant access to their account and the user can revoke a cookie’s access at any time. Then I implemented a repeatable email verification so that users could set different access cookies on different devices. This works even if the user is on a device which doesn’t have access to their account, and even if no cookies currently grant access to their account; in which case they just need to manually enter the email address associated to their account and send the verification email, then follow the link in their email using any device to regain access to their account on that device.

The program also revokes cookies if a cookie is detected on a device with a browser fingerprint that doesn’t match the browser fingerprint in the database. When an access cookie is revoked, the status of that cookie is changed in the database so it no longer provides access to any accounts, and any instances of that cookie detected on any devices in the future will be unset.

*URL removed so it does not look like you are spamming the forum*
Please view the project at my development URL and experience how it works. The project is themed around a video game and ultimately will be a companion app to a video game so be patient with the color scheme and square corners. To create an account, navigate to the Account page and enter a Gamer ID and email address then press the Create New Account button. The Gamer ID is just a username. None of your information will be retained. After you create an account please experience granting access to new devices if you have multiple devices to test on and revoking access cookies.

From the user perspective, even though this account would be necessarily tied to my email account, I think this experience is still much better than using a conventional password. But from a developer perspective, what are the vulnerabilities and can they be mitigated to the point where this is a viable “replacement” for passwords? Obviously the security ultimately depends on the security of an email account, but often times that’s true even when a conventional password is used.

to post a comment
PHP

7 Comments(s)

Copy linkTweet thisAlerts:
@site-developerMar 17.2019 — Hi,

I might be able to give you some ideas. If you like them then you build them and give me the code along with comments so I can learn how you built it with php. Deal ?

Let me go in your head and see what yiou are trying to do ... I'll be back.

...

...Ok. I am back. You feel like getting choked everytime you go to facebook, twitter, youtube, etc. when they keep asking you to login. Feels like a stumbling block. You just wanna whoop out the apps and expect the apps to be smart as Kitt from Night Rider. Detect you are Micheal Night and just let you in the Trans Am. Else, eject the tresspasser out the roof.

I get what you mean because I feel the same and tonnes of others (maybe the majority of internet users) feel the same. That is why I have been coming up with my own ideas. Not in a position to implement them as I am hardly a programmer and so I might aswell tell you my ideas and you build them and publicly release the php scripts through gnu/gpl. Yes ? I think the majority of internet users will like my ideas. You might became famous.

What other programming langs you know ? Might get you to build smart android apps, computer softwares etc. Just make sure you give me free copies along with source codes with comments and gnu/gpl them no matter what languages you build them with.
Copy linkTweet thisAlerts:
@derekrobertsauthorMar 17.2019 — @site-developer#1601861

Thanks for the suggestions. I'm not against any of them but this method is "in it's infancy" right now and needs to be developed further with help from people more knowledgeable than myself before I could think about implementing it elsewhere.
Copy linkTweet thisAlerts:
@site-developerMar 17.2019 — @derekroberts#1601864

Problem is people do not like to give finger prints or eye prints or anything related to the physical body. There are Android Apps that identify users with their finger prints. I saw a few listed but never installed them. Do a search on Google PlayStore.
Copy linkTweet thisAlerts:
@derekrobertsauthorMar 17.2019 — @site-developer#1601866

Oh this is using a device fingerprint, not the user's fingerprint. The device fingerprint comes from the client.js project on Github. [https://github.com/jackspirou/clientjs](https://github.com/jackspirou/clientjs)
Copy linkTweet thisAlerts:
@rootMar 18.2019 — {"locked":true}
Copy linkTweet thisAlerts:
@rootMar 18.2019 — If you have a specific code issue, please provide the code in a post with the description of the error, error message and other details and also the HTML that it relates to.

If its a large amount of text, then upload as a text file as an attachment on the site here. Sending people off to URL's is often precarious, often used as a mode of getting traffic and the URL is removed for this purpose.

Please consider this in future, if you want assistance and guidance here, you need to post here and not take people all over the internet because online code repositories are pointless for examples, it does not allow people to easily track changes in code and often the problem may be happening to someone else and they find the post but no answer to how the problem was fixed so it creates a dead end thread.

Ever been hunting for an answer and the thread just stops and has never really been answer, well thats the primary reason why.
Copy linkTweet thisAlerts:
@rootMar 18.2019 — [[17,19,23],[17,19]]
×

Success!

Help @derekroberts spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.18,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...