Is there any reason a site login needs a username/password? If an email address or cell number is supplied a text or email could be sent back at which point you would click on the link. Would this be enough to be considered authenticated by the site. Much like a password reset email/text, except you would be logedin instead.
Maybe this is not the correct forum to post this.
But, usually an username gives more sense of "ownership" / sense of belonging to an account.
Also for security reasons! I'd rather not give my personal email to everyone or in some places.
And if they already ask my email, I would imply my username is the information other users have access to, and not necessarily my email.
e.g. a Forum / Payments / etc...
Related
TLDR: Is it possible to email a login button which will open a web page and enter the appropriate user information into the username/password fields? Is it possible to embed this within an HTML button, or possibly in SQL injection? If so, where should I start my research to make this happen?
OK, so what I am tasked with is generating the billing lists for about 2000 non-technical users. Currently we use a third party billing site which does not have an API or any way to authenticate users from the URL heading. What we have been doing is using mail-merge to email users their username and password along with a link to the billing site. This is great, except that our users are... special. We get dozens of phone calls a day from elderly users who can't copy/paste the given information into the website.
What I am looking for is someone to point me in the right direction for making an email click here button that will open the web page, enter the username and password (from a CSV/XML of usernames/passwords) and click enter.
I'd even settle for opening the webpage with their credentials filled into the appropriate fields. Is there a way to do this? What is the best way to go about this?
Before we get into best practices/security, CC information isn't stored on the site, and the only user info view-able is the invoice, so security isn't a huge concern here since the users can't set their own passwords (username / password generated from static fields in another database silo).
Not looking for someone to do this project for me, but perhaps a few friendly pointers in the right direction for how to do this.
Is it possible to email a login button which will open a web page and enter the appropriate user information into the username/password fields?
Not unless either:
The website is specifically designed to allow that. Since you said it was a third party side, then you would have to ask the people who wrote it.
The site suffered from an XSS security vulerability. (Explaining how to search for one would be too broad for a SO answer, searching for one would be illegal pretty much everywhere).
I have mailto links with which I allow users to manually put the recipient's address by leaving the mailto link empty, like so:
Share
But when tested in tenon.io, it complains about the empty email address:
Do we have a workaround for this?
Karl Groves here, Founder of Tenon.
Tenon is purposefully opinionated. The goal of the product is to assist website owners in ensuring an accessible user experience. Weighing strict technical conformance vs. user experience is a constant dance. Ultimately the end user may need to choose to ignore some of our guidance.
It is true that the mailto: protocol does not require an email address. And, in the case of #qtgye's link, it is a valid use. If I was #qtgye I'd ignore Tenon's result.
However, we do consider this to be a useful test. In response to this thread, I posted a Twitter poll: https://twitter.com/karlgroves/status/869208982250024960
98% of respondents do expect an email address in a mailto: link. The reason why this is an accessibility issue is that mailto: links will open the user's email client. Users who cannot see the entire screen may assume that the email address is already filled-in on their mail client.
That being said, we do have to take into consideration the fact that the email address is not technically required. Each test in Tenon has a certainty score which, as the name implies, indicates how certain we are that it is a real issue. We will be lowering the certainty score on this test. We are tracking that adjustment as Issue TEN-2573 in our issue tracking system.
Thank you for bringing this up #qtgye
The mailto protocol does not require an addr-spec definition. So your link is valid, and this is a false negative.
I'm busy to enable login stuff via facebook oauth on my website, but the only thing I want to get is the email of the user.
I saw in dev docs the 'scope=email' but, it seem's mandatory for the user to allow access to anything about him.
is there's a way to ask him to grant access only on his email ?
No. The bare minimum that your app will request from the user is his Basic Information, followed by your extended permissions (in your case, his email address).
nope. email is a so called extended permission. so you have to get the basic set of data of the user. (like: name, fbid, gender, locale).
Edit - migrated to ui Stack Exchange (please close this question)
Do you find it necessary/worthwhile to make a user repeat his password in a registration form, assuming that form includes an email address?
Pros: I imagine there are quite a few cases where users mistype their password in the registration form.
Cons: If you require a valid email anyway, he can always retrieve/reset his password via email - and for the users that do get the password right in the first try, this is yet-another-field-in-the-registration-form (which I prefer be as simple as possible)
I would say using the password reset functionality in place of double-entry is not horrible, but it would require a decent UI on the login page to ensure the "forgot your password" link is clear -- such as having it appear much bigger upon invalid password entry.
I'd personally go a different way: ask for the password after a 'verify your email address' message.
One thing to consider is you also need a valid email address -- so if they mis-enter their email, and also their password, their account is effectively locked. Many sites require clicking a link (and/or entering a code) upon account creation, in order to verify email address, before making the account active. If you're doing this, then there is an annoying UX thing to avoid: it's not always clear why my account doesn't work.
I've seen this personally where I enter a password during registration, but then it tells me "invalid password" when I try to login, rather than "your account is not yet activated". Minor, but an annoyance.
One way to get around this is to not ask for a password until they've clicked the link in the email, then you prompt to create a new password. You can use double-entry here, since it's the only thing on the form, and it's a pretty simple way to avoid an easy user mis-entry. Users are also quite used to this model, practically every password entry system works like this.
It also handles an additional use case, where the user themselves is not the one creating the account (not sure if this applies to you or not). Someone can create the account on the user's behalf, but then the user is still choosing their own password after clicking on the 'verify' link they get via email.
I do think that it is worthwhile - as an additional validation just to ensure that users havent mistyped the password (especially coz we cannot see the password being typed in most cases). I think it provides a sense of validation to the user as well that he is in fact sure of his password before he submits the form.
However, this is valid only in case of forms which do not allow you to copy / paste from one field to the other (I have used sites where their forms allow me to copy paste which inherently makes having the 2nd field completely useless)
Personally, however, i find it extremely irritating when a form makes me re-type my password. But i still do think that its a useful validation to have.
Does it make any sense to include a captcha when registration already requires email confirmation? any added benefit or just a waste of effort?
Neither will prevent current bots from getting into your system if that is your reason for doing these. Usually email confirmation is done to validate that the user gave a correct email address if you have need to contact them (or spam them). I don't see the value in adding a captcha to that.