How can we improve the user’s experience with, and the security of, passwords? I’m fairly sure a team at Mozilla are thinking about this; my thoughts here are utterly unencumbered by knowledge of or interaction with their ideas ;-)
Frank Stajano at the Cambridge Computing Laboratory has written a paper (blogpost) called “Pico: No more passwords!”, where he proposed a hardware token-based scheme for replacing passwords as our default form of authentication. In its final form, it uses a camera to detect the app, and then a short-range radio interface to send the password to the computer. The purpose of this blog post is not to comment on his specific proposal, but to note his list of 8 advantages that his system provides (taken from his document, and edited by me):
- The user no longer has to remember passwords.
- The user cannot choose a weak password.
- The user cannot reuse a password.
- The user no longer has to type the password.
- The user cannot be phished.
- The system can be used for all sorts of passwords or secrets, not just web ones.
- The user no longer has to manually select the appropriate password.
- The user is authenticated to the app continuously throughout the session.
These are all clearly good things, which make life much easier for a user. He notes that some of these advantages are provided by existing solutions, but not all. That set me wondering: what would it take to get most or all of them in a Firefox context?
The Firefox Password Manager in combination with Firefox Sync gives you 1, 4, 5 and 7 today, out of the box, for every password you use it for. (One could argue you don’t quite get 5 because nothing stops you from typing in a remembered password into a phishing site, but if you rely on the Manager, you get it.)
We could add 2 and 3, and reinforce 5, by adding a “Generate Password” context menu item to Firefox password fields. This would only appear if Firefox knew it was allowed to remember the password (i.e. not “autocomplete=off”) and when selected would fill all password fields in the same <form> with a single randomly-generated password. It could use the HTML5 regexps for field contents, if present, to make sure it generated a password the site would accept. If the feature was used on a page, and the password submitted was the same as the one generated, Firefox would automatically remember the login and password without prompting (but perhaps with a notification, for reassurance).
The generated passwords would be, say, 10 characters long, and a mix of upper and lower case, numerals and a punctuation character. If the site was dumb enough not to accept such strong passwords, once they got the error back the user could give up on the feature and pick a password themselves, just as they do now.
There’s also a way we could add benefit 6. It strikes me that the contents of the Password Manager section of my Weave account, and the contents of OI Safe, the Android password manager I use, are highly related. We could implement a Firefox Mobile addon or even a standalone app (like a specialized Firefox Home) which showed the Weave password store like a password app does, and also allowed you to add extra non-web usernames and passwords to it manually – e.g. the combination to a bike lock, or a door entry code. You would use the same app to retrieve them when you needed them. A standalone app might have the convenience factor required; but if we can make websites into mobile apps, with top level icons, perhaps we can also add a feature to make a Firefox addon’s UI do the same thing.
That leaves us with everything except benefit 8 – walking away from your computer doesn’t automatically log you out of the web app. This seems not all that connected to the other 7 password-related benefits; more a cool thing which happens to fall out of Frank’s implementation. Still, there are some options.
We would have to consider the privacy implications, but both websites like this and web-based IM clients might benefit from an “idle” value in the DOM, giving the time in seconds or minutes since the user last interacted with the computer. As long as the value was low, sites could assume the user was still present, and not log them out. If it got above a value the site considered unsafe, automatic log out could occur.
This would avoid the very irritating thing of sites logging you out for “inactivity” when you were sitting at your computer the whole time, just doing other things. My previous bank (Barclays) did this a lot; my current one (HSBC) at least pops up a window with a timer asking me if I want to stay logged on. Better, but also a hack.
To summarise, I propose:
- Add “Generate Password” to Firefox password field context menu
- Make a OI Safe-like Android app using the Weave store as its back end
- Standardising a DOM property for “computer idle time”