Is it secure to log in a user without a password?
Question:
I am thinking of logging a user in to my Django website by verifying the email rather than them having to write a password.
If this is not clear, this is what I’m thinking:
- User enters email
- User gets a email containing a code
- User enters code in website
- User is logged in
Is this safe to do without hackers accessing the accounts of other users?
Answers:
It is safe only if you don’t have any leaks in your code. Such as this website: https://pushkarthegr.github.io/Elektronik/signin.html
Here, if you go into console and type code
the OTP is quite notable.
As far as I understand your problem you want to generate tokens for users that would serve as an authentication method to access your service.
I don’t know how secure that is because you have to take into consideration a lot of different things like length of the token (password) and method you use to generate it. Also some kind of a token rotation should be incluced.
Instead of this you can use more popular approach to this problem that is either
- delegating authorization to 3rd party software like Google auth (https://www.tutorialspoint.com/google-authentication-in-django)
- adding OAuth authorization – currently OAuth 2.0 is the newest version (https://en.wikipedia.org/wiki/OAuth)
With that users can log into your website without typing password every time they want to access it.
I am thinking of logging a user in to my Django website by verifying the email rather than them having to write a password.
If this is not clear, this is what I’m thinking:
- User enters email
- User gets a email containing a code
- User enters code in website
- User is logged in
Is this safe to do without hackers accessing the accounts of other users?
It is safe only if you don’t have any leaks in your code. Such as this website: https://pushkarthegr.github.io/Elektronik/signin.html
Here, if you go into console and type code
the OTP is quite notable.
As far as I understand your problem you want to generate tokens for users that would serve as an authentication method to access your service.
I don’t know how secure that is because you have to take into consideration a lot of different things like length of the token (password) and method you use to generate it. Also some kind of a token rotation should be incluced.
Instead of this you can use more popular approach to this problem that is either
- delegating authorization to 3rd party software like Google auth (https://www.tutorialspoint.com/google-authentication-in-django)
- adding OAuth authorization – currently OAuth 2.0 is the newest version (https://en.wikipedia.org/wiki/OAuth)
With that users can log into your website without typing password every time they want to access it.