I stumbled upon a method for securing user accounts without a password and want to know if it’s viable. I don’t have any formal programming education or professional experience, or know any developers personally, but have been practicing and learning independently through the web for about 7 years. It’s very difficult for me to know what information I’m missing though, and I would appreciate constructive feedback.
I’m working on a PHP based project and it’s the first time I’m implementing an email verification system. I had already implemented a “remember me” feature which was going to use a cookie essentially as the password to grant that device access to the user’s account, and this cookie was also stored in a database with a browser fingerprint of the device it was set on. I was also requiring users to have a valid, active email to create an account for the purpose of email verification, and it was through this email that I was associating the cookie on their device with access to their account. And then I dropped the “passwordhash” column from the “accounts” table and deleted all references to “password” from my code.
Next I gave the user control over the cookies which grant access to their account. The user’s account page displays all cookies which grant access to their account and the user can revoke a cookie’s access at any time. Then I implemented a repeatable email verification so that users could set different access cookies on different devices. This works even if the user is on a device which doesn’t have access to their account, and even if no cookies currently grant access to their account; in which case they just need to manually enter the email address associated to their account and send the verification email, then follow the link in their email using any device to regain access to their account on that device.
The program also revokes cookies if a cookie is detected on a device with a browser fingerprint that doesn’t match the browser fingerprint in the database. When an access cookie is revoked, the status of that cookie is changed in the database so it no longer provides access to any accounts, and any instances of that cookie detected on any devices in the future will be unset.
*URL removed so it does not look like you are spamming the forum
Please view the project at my development URL and experience how it works. The project is themed around a video game and ultimately will be a companion app to a video game so be patient with the color scheme and square corners. To create an account, navigate to the Account page and enter a Gamer ID and email address then press the Create New Account button. The Gamer ID is just a username. None of your information will be retained. After you create an account please experience granting access to new devices if you have multiple devices to test on and revoking access cookies.
From the user perspective, even though this account would be necessarily tied to my email account, I think this experience is still much better than using a conventional password. But from a developer perspective, what are the vulnerabilities and can they be mitigated to the point where this is a viable “replacement” for passwords? Obviously the security ultimately depends on the security of an email account, but often times that’s true even when a conventional password is used.