[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Wed, 11 Jul 2001 14:23:53 -0700
Here's a possible scenario for use in thinking about the design of
a single-logon system. This is from the browser-user's
point of view only, and I'm ignoring any technical hurdles --
just trying to envision what would be ideal.
* I'm using a Windows machine with IE and I have the appropriate
dotgnu plug-in installed for single-logon. When I installed the plug-in,
I told it the one-and-only password that I have to remember; the plug-in
uses that password to encrypt all other information I give it in the
* I go to visit a new web site and it has a restricted section that I can
join if I give it an email address and a password. I click on the button
that says "sign me up". Note that I do not have to click on any special
button that says "sign me up using the dotgnu system" -- the web site is
able to be coded in such a way that both dotgnu and normal users can
be handled transparently.
* At this point, because I have not previously "logged on" during this
browser session, the plug-in pops up a dialog that asks me to enter
my one-and-only password. This would not happen again until I either
restarted the browser, or a customizable "timeout" had elapsed, or I
explicitly took some action that told the plug-in to again require a
When asking for the password, the GUI also permits me to specify a
non-default location for the personal information database. This allows
me to bring my own database on a floppy to someone else's machine,
and still make use of my personal logon database while browsing.
* I enter my one-and-only password, and the plug-in then proceeds to
inspect what it was the web site was asking for (in this case, an email
address and password). At this point, the plugin displays a page (or
or some kind of GUI) that shows what it is prepared to return to the web
site. If I have not previously supplied any of the fields, it will
typically not be able to
suggest defaults. The plugin should offer to generate a "good" password
for me -- the web site informed it of any restrictions on character set and
* I enter an email address (which the plug-in adds to my local encrypted
database for future reference) and ask the plug-in to generate a password
for me. It generates a long garbage-looking password that would be unlikely
to be susceptible to dictionary attacks. I, of course, will never have
what that password is. I check the box that says "Logon Automatically",
tells the plug-in I don't need to inspect these logon parameters the
I log on to this site. Finally, I push the "OK" button, and the plugin
the logon information to the web site, which then allows me access to the
* Next week, I go to another web site that is similar in its demands.
This time, when the plug-in asks me what information I want to supply,
the email address I entered previously is present in a drop-down combo
box. I can accept it as-is, or enter another email address.
* Next month, I return to web site #1. Assume that I entered my
one-and-only password earlier during that browser session. This time,
when I click on the web site's "logon" button, the request for credentials
and the response all happen invisibly, and I am delivered right to
whatever page normally greets people who have just logged on. Joy!
This doesn't exercise anywhere near all the things to be considered during
but it's what I personally envisioned as characteristic of the key
Is roughly what anyone else envisioned as the basic idea?
Windows Developer's Journal, www.wdj.com
Ron Burk <=