MozillaWiki

Services/Sync/WEP/112

< Services‎ | Sync‎ | WEP
Revision as of 22:02, 20 May 2010 by Mardak (talk | contribs) (email-only account creation)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Draft-template-image.png THIS PAGE IS A WORKING DRAFT Pencil-emoji U270F-gray.png
The page may be difficult to navigate, and some information on its subject might be incomplete and/or evolving rapidly.
If you have any questions or ideas, please add them as a new topic on the discussion page.

WEP 112 - Email-only Account Creation

  • Champions: Edward Lee <edilee@mozilla.com>
  • Status: Draft
  • Type: ?
  • Created: May 20 2010
  • Reference Implementation: None
  • WEP Index

Introduction and Rationale

Account creation currently requires picking a username, password, secret phrase and providing an email address. Asking and validating these pieces of information lengthens the account creation process and confuses the users especially when asking for a secret phrase. This can result in the user giving up.

Setting up another machine requires the the user to remember the username, password, and secret phrase. Users tend to forget these 3 pieces of information especially the secret phrase as it's not frequently used. Users also confuse the password and secret phrase.

Proposal

For setting up the first computer, only an email address is required to start using Sync. For setting up additional computers, a PIN needs to be first registered from a client configured for Sync and then the email and PIN are needed to get Sync account access.

Account Creation

All that is required for account creation is an email address. A random username and password pair (used to communicate with the server) are generated. The account can now be registered on the server with the username, password, and email address.

A random passphrase (used to encrypt the private key) is also generated. Data can now be encrypted and synced as usual.

Preparing to add another computer

When the user wants to add another computer, s/he indicates so in a configured client and is prompted to enter an 8-digit PIN. This PIN is used to encrypt the necessary Sync authentication pieces (username, password, passphrase) that is temporarily stored on the server.

A configured client will already have the email address, username, password, and passphrase available. The client needs to request an 8-digit PIN when the user wants to set up another computer.

A "key" is generated from the email address and PIN. This can be done by hashing (sha1) "<email>,<PIN>".

A "value" is generated by encrypting a structure that contains the username, password, and passphrase.

A server is needed to register this "key" and "value" pair. The server should only keep this pair for 1 day. So there is only a window of 1 day to set up another machine.

Setting up another computer

Setting up another computer requires the email address and PIN. With those two pieces of information, the "key" can be regenerated to ask the server for the corresponding "value". The PIN is then used to decrypt "value" which then results in the username, password, and passphrase.

Retrieved from "https://wiki.mozilla.org/index.php?title=Services/Sync/WEP/112&oldid=224677"