[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


From: Ron Burk
Subject: [Auth]Scenario
Date: Wed, 11 Jul 2001 14:23:53 -0700


Here's a possible scenario for use in thinking about the design of
a single-logon system. This is from the browser-user's
point of view only, and I'm ignoring any technical hurdles --
just trying to envision what would be ideal.

* I'm using a Windows machine with IE and I have the appropriate
    dotgnu plug-in installed for single-logon. When I installed the plug-in,
   I told it the one-and-only password that I have to remember; the plug-in
uses that password to encrypt all other information I give it in the future.

* I go to visit a new web site and it has a restricted section that I can
   join if I give it an email address and a password. I click on the button
   that says "sign me up". Note that I do not have to click on any special
   button that says "sign me up using the dotgnu system" -- the web site is
   able to be coded in such a way that both dotgnu and normal users can
   be handled transparently.

* At this point, because I have not previously "logged on" during this
   browser session, the plug-in pops up a dialog that asks me to enter
   my one-and-only password. This would not happen again until I either
   restarted the browser, or a customizable "timeout" had elapsed, or I
explicitly took some action that told the plug-in to again require a password.
   When asking for the password, the GUI also permits me to specify a
   non-default location for the personal information database. This allows
   me to bring my own database on a floppy to someone else's machine,
   and still make use of my personal logon database while browsing.

* I enter my one-and-only password, and the plug-in then proceeds to
   inspect what it was the web site was asking for (in this case, an email
address and password). At this point, the plugin displays a page (or dialog,
   or some kind of GUI) that shows what it is prepared to return to the web
site. If I have not previously supplied any of the fields, it will typically not be able to
   suggest defaults. The plugin should offer to generate a "good" password
   for me -- the web site informed it of any restrictions on character set and

* I enter an email address (which the plug-in adds to my local encrypted
  database for future reference) and ask the plug-in to generate a password
   for me. It generates a long garbage-looking password that would be unlikely
to be susceptible to dictionary attacks. I, of course, will never have to remember what that password is. I check the box that says "Logon Automatically", which tells the plug-in I don't need to inspect these logon parameters the next time I log on to this site. Finally, I push the "OK" button, and the plugin transmits
   the logon information to the web site, which then allows me access to the
   restricted pages.

* Next week, I go to another web site that is similar in its demands.
   This time, when the plug-in asks me what information I want to supply,
    the email address I entered previously is present in a drop-down combo
    box. I can accept it as-is, or enter another email address.

* Next month, I return to web site #1. Assume that I entered my
   one-and-only password earlier during that browser session. This time,
   when I click on the web site's "logon" button, the request for credentials
   and the response all happen invisibly, and I am delivered right to
   whatever page normally greets people who have just logged on. Joy!

This doesn't exercise anywhere near all the things to be considered during the design, but it's what I personally envisioned as characteristic of the key functionality.
Is roughly what anyone else envisioned as the basic idea?

Ron Burk
Windows Developer's Journal,

reply via email to

[Prev in Thread] Current Thread [Next in Thread]