[INTERESTING] login without password (using smartphone QRs)

[panique]

Gentlemen,

one of my favourite (german) PHP blogs just posted a very very interesting solution for SECURE login-processes while using a (possibly infected, keylogged etc.) computer in internet cafes, hotels, universities etc. You know what I mean.

This is awesome! According to the article this/something similar has been tested by Google, too.

(german) article:
http://www.phpgangsta.de/sesam-oeffne-dich-sicher-einloggen-im-internetcafe

Github repo:
https://github.com/PHPGangsta/Sesame

Demo:
http://sesame.phpgangsta.de/

Feel free to experiment with this and maybe pushing this feature into the 2-advanced / 4-full version.

[ghost]

Isn't this Steve Gibson idea ?
https://www.grc.com/sqrl/sqrl.htm

[panique]

@tech-samuel Yes, I think so! But the guy behind the blog post didn't say he invented it, in fact he stated very clearly that he simply wants to show a simple implementation / live demo of this login thing.

[ghost]

Yes i know that. Steve Gibson still hasn't finished the spec for this login system yet. So i think we should wait till the spec is complete. :)

[thierryve]

I had a look at the code of PHPGangsta and It looks relatively easy to implement.
One of the things he used for his example is

<meta http-equiv="refresh" content="5">

This is used to, every 5 secondes, check if the generated sesamecode is used when a user logged in.

It works fine but there must be a better solution then a page refresh. What do you guys think?
Some options that are out there:

• Use AJAX to pull every X seconds
• Websockets (maybe a bit to heavy)
• There are some API's (also to heavy if you ask me)

In my opinion the first option is the best one.

i'd love to hear what you think

[thierryve]

Hey!
On https://github.com/thierryve/php-login/tree/feature/290-login_without_password I created a first version of this feature.
There are still a lot of todo's like but it is a start

• Rewriting the 5 second refresh to a more userfriendly variant
• Cleanup unused sesame's (database and file)
• Checking allround security
• Implement for facebook registered users (facebook login)
• Probably many more!

I'll like some general feedback so we can further improve this cool feature!

[panique]

@thierryve Wow! Big thanks! I'll look into that when there's time!

[sopitz]

@thierryve Is there a demo somewhere on how that would work in the end? Would love to see it (but honestly dont have the time to deploy it right now :D)!

[thierryve]

@sopitz you lazy .... :D
Sorry I don't have a test / dev server that is accessible of the internet atm (using vagrant).
I will try to setup a public demo in a couple of day. I will also need it to test it on a actual mobile device.

[thierryve]

@sopitz I created a public demo page for this feature.
See http://php-login.cophpol.com

Love to get your feedback!

[ghost]

I don't know if it's my end or something else, but it's not working for me :S

I click the link /login/index?code=123456 and it's opens a page without the QR nor the link, but the first page does not log in.

[thierryve]

@KatzArie this is how it works.

1. create an account (enter a real email address for the activation email, I removed the overview page so your emailaddress will stay private)
2. Active the account
3. Go to the login page
4. Open sesame link in another browser or scan the QR code with your mobile phone
5. Sign in with your credentials
6. Go to your original browser or desktop PC
7. Sesame! Now you logged on without entering your credentials

Hopefully it works, otherwise I have some bugs to fix 😋

[thierryve]

Here is a test account for everyone that doesn't want to make an own account.
Username: test
Password: phplogin

[ghost]

Work'n! N!CE :D

[thierryve]

I just updated this feature.
New

• ajax check for login instead of page refresh
• cleanup database event (maybe add a cronjob for shared hosting)
• implemented for facebook and cookie login
• When you're logged in on for example your mobile phone and scan the qr code you will automatically logon
• some refactoring

Love to hear if you think it is ready for a pull request

[panique]

This might become a SERIOUS thing! I've just read some things about the post-password-auth-era, and authenticating/logging-in via hardware / mobile devices / body parts (!) is more than just future fantasy, it's coming!

Maybe optional two-factor authentication (password + SMS-code on your smartphone) is an optional feature for php-login 3.0, too.

[sopitz]

@panique I posted that in a different ticket a while ago already: https://medium.com/@ninjudd/passwords-are-obsolete-9ed56d483eb

I will have a look into that and probably implement it early 2015 when I'm done with my 2014 release.

[sopitz]

Maybe you all are interested in this. Seems to be super easy to integrate and is free for small projects.
https://www.duosecurity.com/editions
What do you think?

EDIT: I just set it up for a personal project and github. THAT STUFF IS AWESOME!! Should be a must for everyone.

[panique]

Hey, I'm currently "cleaning" the project a little bit and moving feature-requests like this to an own list inside the readme file (find it under the "future features" point). I hope you are okay with it, as most tickets here are new features and not really bugs or so.

My idea is just to avoid this project from getting oversized by too many features, so I'm closing the ticket, but for sure linking it from the readme in case somebody wants to implement this.

I hope you are all okay with this. :)

[10vish]

hai, i wanted to change the url to custom url, can you please help