Better Rails authentication without SSL using Devise

Question

I need very basic authentication scheme for now and I don't want to involve SSL for the login process. However sending passwords just in plain text feels really lame, so I would like to meet half-way. Is there any build in way in devise (or extension), which prevents sending plain text password and uses some sort of hashes instead?

btw: Please don't start any flame war over SSL, or (lack of) security in this solution. I am aware of any consequences, security level of the solution and so. I just need a solution to my problem for now with the least effort possible (I don't want to code this part by myself).

Answer 1

I'm not sure why your not interested in SSL, I'm sure you have your reasons, but since I see your using Heroku you could always enable the Piggyback SSL plugin without paying extra for SSL.

Other than that, you could consider some sort of client side hashing or encryption/decryption solution. I'm not aware of anything prexisting for rails, but what comes to mind is a wordpress plugin like http://wordpress.org/extend/plugins/semisecure-login-for-25/ or http://wordpress.org/extend/plugins/semisecure-login-reimagined/ to do a sort of diffie-hellman with symmetric key encryption to protect the authentication session.

Other than that there are several two factor authentication plugins for rails if you google "rails two factor authentication". I haven't tried it myself, but I'd be interested in trying out the paid Authfactor (http://www.binpress.com/app/authfactor/173) rails plugin sometime.

Hope that helps.

Answer 2

One possibility, although it will leave you coding more than you'd probably like, is to send a simple one-use passcode to the user's cell phone, email, or IM account. The user can then reply to that or click on the one-time link to gain access.

It's more or less ripping out the first factor of traditional two-factor authentication.