Two Factor Authentication with a Bookmarklet


I've been meaning to write about this all week, but kept forgetting. Ben Adida has proposed a two-factor authentication scheme using a bookmarklet which looks pretty cool. Ben calls this a "bookmark," but I prefer "bookmarklet" since it's a bookmark that contains a runnable Javascript.

The solution seems pretty cool. My biggest question centers on usability. When you imagine this scenario with one site, it seems simple enough, but if every place you wanted to log into on the 'Net needed a bookmarklet, you'd have a bookmarks file full of entries to allow you to log in. What a management headache.

Of course, if you're using OpenID and the only bookmarket you need is one for your OpenID site, then that's not such a big deal. So, scaling Ben's idea presupposes the existence and broad acceptance of a wide-area identity system like OpenID.

Update: I misunderstood. It's not a bookmarket. The bookmark doesn't contain any Javascript--rather the page you go to contains the javascript and recognizes a shared secret that is in the bookmark and gets put in URL as a fragment identifier (which is never sent across the wire). Neat.