« Speaking of Blogging... | Main | Rentals on Rails »
Two Factor Authentication with a Bookmarklet
I’ve been meaning to write about this all week, but kept forgetting. Ben Adida has proposed a two-factor authentication scheme using a bookmarklet which looks pretty cool. Ben calls this a “bookmark,” but I prefer “bookmarklet” since it’s a bookmark that contains a runnable Javascript.
The solution seems pretty cool. My biggest question centers on usability. When you imagine this scenario with one site, it seems simple enough, but if every place you wanted to log into on the ‘Net needed a bookmarklet, you’d have a bookmarks file full of entries to allow you to log in. What a management headache.
Of course, if you’re using OpenID and the only bookmarket you need is one for your OpenID site, then that’s not such a big deal. So, scaling Ben’s idea presupposes the existence and broad acceptance of a wide-area identity system like OpenID.
Update: I misunderstood. It’s not a bookmarket. The bookmark doesn’t contain any Javascript—rather the page you go to contains the javascript and recognizes a shared secret that is in the bookmark and gets put in URL as a fragment identifier (which is never sent across the wire). Neat.
Posted by windley on February 17, 2007 1:45 PM
Comment from Ben Adida at February 17, 2007 2:24 PM
Hi Phil,
Thanks for writing about BeamAuth (which I may rename BATlogin). Actually, the current version uses a normal bookmark, not a bookmarklet. I've been toying with bookmarklets, but they have security issues that are not very well understood by all yet.
And BeamAuth is definitely meant for high-value sites like your bank or an OpenID authentication server. Agreed that it would not be a good thing to have a bookmark for every little site you log in to!
Leave a comment
I encourage you to leave a comment below. Your email address will not be displayed on Technometria, but allows me to communicate with you directly. Your email address won't be displayed, but will be used to compute a MicroID for your comment.