I've been asked to perform authentication without usernames and passwords, what are my options?

Question

I've been asked to leave passwords and user names aside since most of the site visitors are stop-buy-come-back-several-months-later-kind of visitors, and the motivation was somewhat along the lines "they would forget there passwords any way and have to request new ones".

I suspect there is no realistic way for me to do this thinking IP:s probably change and browsers get updated, cookies are cleared and so forth.

Or do I have any options?

(not that I'm looking for code but rather concepts and pseudo but the language in the project is php/js coupled with an apache server)

Answer 1

Use OpenID.

Let Facebook, Google, Wordpress, or even Stack Exchange handle the authentication for you, and people wont have to remember another password.

---

Alternatively:

Many users understand the "forgot my password; check my email" routine by now, so why not just short-cut it by having them input their email and send them a login url with a randomly generated token to log in with.

Once they're logged in, keep them logged in for as long as you deem secure.

Answer 2

We do the following in our e-commerce solution:

We use email as a unique identifier.

When a customer makes a purchase using the same email, the order will be attached to their existing user. You don't however get any address details or stuff like that, but have to enter it manually.

The customer will receive an email with a generated password if it is a first time buy. If it is a second time buy, they will just be instructed to log in. This can however be combined with a url and a login token. Likewise for logging into the site, you could just have them enter an email to receieve a login url token.

Combine this with a long living cookie and/or the browsers datastorage to remember the customers details (address and stuff like that).

Another option would be to have them entering something about themselves that they would always know, but others wouldn't. However it is hard to have an internationally workable solution for this.