Hi folks
I have been working on an idea of a password-less login for Geekzone. Basically you enter your username and receive an email with a token embedded in a link. Once you click on that link you're automatically logged in, no need to remember or enter your password.
The way I see it this means you can have a much more secure password for Geekzone, because it's one less password to remember. You can set an extra long password here since you won't have to use it that much.
Of course security would rely on your email being safe. For this to work I am thinking of adding a switch to your profile. You can turn this feature off if you think it's not for you.
A couple of weeks ago we started using ThisData to record some activities around the site - including successful login, logout, failed login, failed captcha, password reset request, password reset, password change, email change and profile update. This helps a machine learning-based platform to determine a score that indicates the chance your session has been hijacked.
Some of you might have already received an email asking "Was that you?" - with the option to click a link to say Yes or No. The idea is that this input will help the machines learning even more about your account.
We have the option to "verify" an account before performing an action and in the future, depending on the session status we will be able to terminate a session, lock an account, or reset passwords automatically.
Now we go back to my idea of password-less login via email. Once you request the email login and click the link we will verify the action before you actually login into your account. If the result is not "green" then we will simply redirect to the standard login page and ask for your password. We will do this by disabling the email login from your profile automatically if the verify doesn't come back with "green". You will have to enable it again if you want to continue to use it.
Also these links would be only valid for a few minutes. This is great for you folks using the site on a mobile device, where entering (long) passwords is a PITA. I also see these logins as not permanent, so the option to stay logged in would not have any effect on login via email.
If you want to see what your current session status is, visit this simple test page and let us know the result.
The email login will be coming soon. No date set yet.