On Fri, 2005-02-11 at 05:01, Ian Eiloart wrote:
I'm all for the password-less stuff, but then how do you authenticate for members-only archives? I've got big lists that must be members-only for the archives.
Most of the user operations should be done by confirmation string sent by email message.
Operations include authentication.
So, to access the private archive I have to wait for an email message?
One way to make this not suck as much is to drop a cookie that lives longer than the session, after you click-authenticate the first time. However, this is fairly dangerous if you were to read private archives from a public machine, which is why cookies all currently expire at the end of the browser session.
The same situation occurs for accessing the options page, but that is a much less common operation. Maybe users are willing to wait for an email round-trip in order to change their options. I tend to think not though -- they may hitting the web interface from a machine that doesn't have access to their mail, and then they're screwed.
Integrating with external user storages for authentication should help out a lot here, but I'm just not seeing how we can totally eliminate passwords. I'm willing to be convinced though.
-Barry