1. Field
The present invention relates generally to a technique for eliminating passwords for account access to websites.
2. Background
Many websites require a username and password to authenticate a user and permit user access to the website. A user who seldom uses a website may forget the password for the website. Also, some websites use cookies to store authentication information between sessions, allowing the user to use the website over multiple sessions without reentering the user's password. For frequency visited websites, the authentication information stored in the cookies on the user's computer is relatively fresh, and the user may not need to enter their username and password for a long period of time. Because the user may not need to frequently enter the password, the user may forget the password of an often visited website.
Most websites that require user passwords provide a password reset mechanism that allows the user to receive a new password, typically by means of an email to an address provided by the user when registering for access to the website. Generally, a user may reset their password at any time so, in essence, as long as a user remembers their username, they can forget their password from one session to the next.
However, the forgotten password is still recognized by the website, and an attacker who can figure it out by, for example, guessing or reversing a compromised hash, may access the website. This highlights an undesirable side-effect of the password reset mechanism. The forgotten password is useless to the user, but not to an attacker.
There is therefore a need for a technique for authenticated website access without requiring a password.