Techy: Token Authentication instead of passwords

April 16th, 2009 by Richy B. Leave a reply »

I’ve been spending quite a bit of time recently creating a login system (coping with OpenID, Facebook Connect and Microsoft LiveID/Passport) and, of course, the “common and/or garden” email address and password system.

Whilst we do deal with credit card and payment details on the system, it doesn’t need to be “that secure” relating to user authentication (hence we haven’t need to consider proper two-factor logins: where you login with one password and then need to login again using something else). However, recently security snafus (such as the WebHostingTalk database exploit) is making me think that perhaps we should consider offering an alternative to the standard password system.

There are a hardware one-time password tokens out there such as MyPW (which is very similar in looks to the token used by HSBC Bank) and YubiKey (as used by Tom at Nominet) along with Verisign’s VIP Authentication system for iPhones: however, all these OTP (One Time Passwords) systems are designed to be used in conjunction with an existing username and password (i.e. two-factor logins): but has anyone actually implemented a login system which uses the OTP as the SOLE password?

Any pluses/minuses or thoughts about it? Even if you haven’t implemented it, but just think it’s a good or bad idea – please let me know!

This post is over 6 months old.

This means that, despite my best intentions, it may no longer be accurate.

This blog holds over 12 years of archived content - during that time, I may have changed my opinion of something, technology will have advanced (and old "best standards" may no longer be the case), my technology "know how" has improved etc etc - it would probably take me a considerable amount of time to update all the archival entries: and defeat the point of keeping them anyway.

Please take these posts for what they are: a brief look into my past, my history, my journey and "caveat emptor".

Leave a Reply

%d bloggers like this: