[INTERESTING] login without password (using smartphone QRs)

[panique]

Gentlemen,

one of my favourite (german) PHP blogs just posted a very very interesting solution for SECURE login-processes while using a (possibly infected, keylogged etc.) computer in internet cafes, hotels, universities etc. You know what I mean.

This is awesome! According to the article this/something similar has been tested by Google, too.

(german) article:
http://www.phpgangsta.de/sesam-oeffne-dich-sicher-einloggen-im-internetcafe

Github repo:
https://github.com/PHPGangsta/Sesame

Demo:
http://sesame.phpgangsta.de/

Feel free to experiment with this and maybe pushing this feature into the 2-advanced / 4-full version.

Isn't this Steve Gibson idea ?
https://www.grc.com/sqrl/sqrl.htm

[panique]

@tech-samuel Yes, I think so! But the guy behind the blog post didn't say he invented it, in fact he stated very clearly that he simply wants to show a simple implementation / live demo of this login thing.

Yes i know that. Steve Gibson still hasn't finished the spec for this login system yet. So i think we should wait till the spec is complete. :)

[thierryve]

I had a look at the code of PHPGangsta and It looks relatively easy to implement.
One of the things he used for his example is

<meta http-equiv="refresh" content="5">

This is used to, every 5 secondes, check if the generated sesamecode is used when a user logged in.

It works fine but there must be a better solution then a page refresh. What do you guys think?
Some options that are out there:

• Use AJAX to pull every X seconds
• Websockets (maybe a bit to heavy)
• There are some API's (also to heavy if you ask me)

In my opinion the first option is the best one.

i'd love to hear what you think

[thierryve]

Hey!
On https://github.com/thierryve/php-login/tree/feature/290-login_without_password I created a first version of this feature.
There are still a lot of todo's like but it is a start

• Rewriting the 5 second refresh to a more userfriendly variant
• Cleanup unused sesame's (database and file)
• Checking allround security
• Implement for facebook registered users (facebook login)
• Probably many more!

I'll like some general feedback so we can further improve this cool feature!

[panique]

@thierryve Wow! Big thanks! I'll look into that when there's time!

[sopitz]

@thierryve Is there a demo somewhere on how that would work in the end? Would love to see it (but honestly dont have the time to deploy it right now :D)!

[thierryve]

@sopitz you lazy .... :D
Sorry I don't have a test / dev server that is accessible of the internet atm (using vagrant).
I will try to setup a public demo in a couple of day. I will also need it to test it on a actual mobile device.

[thierryve]

@sopitz I created a public demo page for this feature.
See http://php-login.cophpol.com

Love to get your feedback!

I don't know if it's my end or something else, but it's not working for me :S

I click the link /login/index?code=123456 and it's opens a page without the QR nor the link, but the first page does not log in.

[thierryve]

@KatzArie this is how it works.

1. create an account (enter a real email address for the activation email, I removed the overview page so your emailaddress will stay private)
2. Active the account
3. Go to the login page
4. Open sesame link in another browser or scan the QR code with your mobile phone
5. Sign in with your credentials
6. Go to your original browser or desktop PC
7. Sesame! Now you logged on without entering your credentials

Hopefully it works, otherwise I have some bugs to fix 😋

[thierryve]

Here is a test account for everyone that doesn't want to make an own account.
Username: test
Password: phplogin