Plenty of services use a standard email-address as login token. This has advantages: The user doesn’t need to remember another keyword and the service provider knows that the email address is unique and can be verified. But there’s one BIG problem: Other people know your email-address and – with it – 50% of your login credentials. How to to eat the cake AND eat it?
Some weirdos seem to like one of my email addresses. They seem to try to hack it and that leads to inconvenience problems – like being locked out of my Apple TV for “security reasons”, because Apple simply locks your account after a number of unsuccessful tries.
We are currently developing the “packfrog” universal secure file exchange and messaging platform and asked ourselves in the process, how we would be able to circumvent this problem while keeping the simplicity of email / password combinations. Two-factor authentication comes to mind and yes, it adds a lot of security and it works well – but it also brings a number of inconveniences.
So .. we came up with the “simple token” construction. A user can define an additional token that must be used in combination with his email-address. It can be changed easily – it can even be removed but it sure adds an additional layer of security against brute-force email-address based hacks.
See the qsy before the hash in the email-address? That’s what I am talking about. The user defines this token in his or her settings within our packfrog service and uses it during the login process.
It is most certainly not comparable to the safety of “two factor” auth. But it helps a lot if your email-address ends up in a hacker database.
Maybe you like the idea and implement into your next project?
If you use gmail: Did you know that you can use email-addresses like “username+token” within your gmail environment? So – next time you register somewhere – why not add something like “+iq8g” behind your user name and before the @gmail.com ? But don’t forget the “+” after your username and before the token. If your email acount is “smartguy” you could use “firstname.lastname@example.org”. Try it – it works.