[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Auth]Scenario
|
From: |
Ron Burk |
|
Subject: |
[Auth]Scenario |
|
Date: |
Wed, 11 Jul 2001 14:23:53 -0700 |
Hi,
Here's a possible scenario for use in thinking about the design of
a single-logon system. This is from the browser-user's
point of view only, and I'm ignoring any technical hurdles --
just trying to envision what would be ideal.
* I'm using a Windows machine with IE and I have the appropriate
dotgnu plug-in installed for single-logon. When I installed the plug-in,
I told it the one-and-only password that I have to remember; the plug-in
uses that password to encrypt all other information I give it in the
future.
* I go to visit a new web site and it has a restricted section that I can
join if I give it an email address and a password. I click on the button
that says "sign me up". Note that I do not have to click on any special
button that says "sign me up using the dotgnu system" -- the web site is
able to be coded in such a way that both dotgnu and normal users can
be handled transparently.
* At this point, because I have not previously "logged on" during this
browser session, the plug-in pops up a dialog that asks me to enter
my one-and-only password. This would not happen again until I either
restarted the browser, or a customizable "timeout" had elapsed, or I
explicitly took some action that told the plug-in to again require a
password.
When asking for the password, the GUI also permits me to specify a
non-default location for the personal information database. This allows
me to bring my own database on a floppy to someone else's machine,
and still make use of my personal logon database while browsing.
* I enter my one-and-only password, and the plug-in then proceeds to
inspect what it was the web site was asking for (in this case, an email
address and password). At this point, the plugin displays a page (or
dialog,
or some kind of GUI) that shows what it is prepared to return to the web
site. If I have not previously supplied any of the fields, it will
typically not be able to
suggest defaults. The plugin should offer to generate a "good" password
for me -- the web site informed it of any restrictions on character set and
length.
* I enter an email address (which the plug-in adds to my local encrypted
database for future reference) and ask the plug-in to generate a password
for me. It generates a long garbage-looking password that would be unlikely
to be susceptible to dictionary attacks. I, of course, will never have
to remember
what that password is. I check the box that says "Logon Automatically",
which
tells the plug-in I don't need to inspect these logon parameters the
next time
I log on to this site. Finally, I push the "OK" button, and the plugin
transmits
the logon information to the web site, which then allows me access to the
restricted pages.
* Next week, I go to another web site that is similar in its demands.
This time, when the plug-in asks me what information I want to supply,
the email address I entered previously is present in a drop-down combo
box. I can accept it as-is, or enter another email address.
* Next month, I return to web site #1. Assume that I entered my
one-and-only password earlier during that browser session. This time,
when I click on the web site's "logon" button, the request for credentials
and the response all happen invisibly, and I am delivered right to
whatever page normally greets people who have just logged on. Joy!
This doesn't exercise anywhere near all the things to be considered during
the design,
but it's what I personally envisioned as characteristic of the key
functionality.
Is roughly what anyone else envisioned as the basic idea?
Ron Burk
Windows Developer's Journal, www.wdj.com
- [Auth]Scenario,
Ron Burk <=