Introduction: Authentication

The recent explosion of information available upon the world wide web has made the medium a useful source of information of all kinds.

Some web sites require authentication before information can be accessed. This allows the content provider more control over who accesses the site; they may charge for service, or force users to register, for demographic purposes.

Authentication can be annoying at times. Many of the sites that require authentication do so even though no sane user would care if anyone else used his account. Ideally, users would be able to use the same user ID at each site. In practice, this is not always possible. Often your preferred user ID will already be taken; some sites assign user IDs.

Using the same password at each site can be a security risk, since you don't know who has access to this information. Because of this, you probably shouldn't use passwords that correspond to other real-life useful codes, like ATM PIN numbers or e-mail passwords. Combined with the requirement that user IDs be unique to a site, it seems likely that web users may need to keep track of a unique user ID and password for each site that requires authentication that they visit.

What It Does

Autothenticate is a system extension that loads when you start up your Mac. It installs itself, then goes to sleep. When your web browser puts up an authentication dialog, Autothenticate wakes up and looks to see if it recognizes the name of the site. If it does, it will automatically type your user ID and password (or just your user ID), and you'll be on your way.

If Autothenticate does not recognize the site, it asks if you would like it to memorize your user ID and password, and automatically enter this information for you in the future. You can choose to have it memorize your user ID and password, just your user ID, or nothing.

Autothenticate works with Netscape Navigator 2.0 - 4.5, Netscape Communicator 4.5, as well as Internet Explorer 2.0 and 2.1. It has no effect on Internet Explorer 3.0 or later, although it does not interfere with its use. Remembered sites will be remembered from all versions of each browser.

How to Use It

Install Autothenticate by dragging the extension (the puzzle piece icon) to your system folder. It will automatically be placed in the extensions folder. You must reboot to for Autothenticate to become active.

Using a supported browser, go to a site that requires authentication. When the authentication dialog box appears, Autothenticate will intercept it and put up its own dialog. You may also choose for Autothenticate to remember and automatically type only your user ID, or nothing at all, on a site by site basis, to provide you with a compromise between convenience and security.

You can make Autothenticate forget memorized information about a site by holding down the SHIFT key when you visit the site until the authentication dialog box appears.

Shortcomings

Autothenticate only recognizes authentication dialog boxes. Some servers (for example, the New York Times) have customized web pages where you enter your user ID and password. Unfortunately, it is extremely difficult to recognize these pages, and you will continue to need to authenticate yourself to these pages manually.

You must not rename your browser software. Autothenticate determines which browser you are running by examining the first few characters of the name. If the name begins anything other way than "Netscape Navigator", "Netscape Communciator" or "Interet Ex", Autothenticate will not take any action.

Security Issues

Autothenticate was created as a convenience for people using private Macintoshes who frequently log into numerous sites. Since it automates the log-in process, it reduces security. You must be very certain that you willing to give up this security before you use Autothenticate.

Autothenticate is primarily intended for use on private Macs used by one person. Using Autothenticate can potentially create a security risk since it may no longer require that you type in your user ID and password. Obviously, anyone with access to your Macintosh can log in as you to sites as you. Before you use Autothenticate, consider the sites you visit that require authentication, and people that have access to your Mac. A compromise might be to request Autothenticate to remember only user IDs for specific sites, which will require you to type passwords manually for those sites.

Autothenticate keeps track of the sites you visit in the Autothenticate Preferences file. It does NOT record user IDs or passwords for sites unless you specifically allow it. However, if you do allow automatic authentication, the information you enter is stored in the preferences file. Note that Autothenticate DOES record which sites you visit that require authentication, even if you ask it to NOT remember your user ID or password so it knows not to ask about these sites again; however, in this case, it does not store your name and password.

Autothenticate is only a convenience: YOU alone are responsible for keeping track of your user IDs and passwords for sites. Do not allow Autothenticate's preferences file to be the only place this information is kept -- if the preferences file is damaged or lost, you will need to log into these sites again by hand so Autothenticate can relearn how to authenticate you.

Shareware Statement

Autothenticate is shareware. This means that you are free to download and try it out, but after a thirty-day trial period, you must pay the author. In return, you will receive instructions on how to remove the irritating dialog that appears during use.

If you use Autothenticate, please register. Autothenticate cost US$10 (US$8 for academic use) for a single user license. Academic use means you are a part-time or full-time student or educator; it is up to the payer to decide if he or she fits this category. Site licenses ($100) and world-wide licenses ($400) are also available. A site license covers all machines in the organization which are within 100 miles of a central point.

Registering shareware software that you find useful encourages authors to continue to produce inexpensive, high quality programs. Double-click the program Register Autothenticate for more information on how to register.

You may also register Autothenticate through the web. Point your browser to http://order.kagi.com/?49 and follow the instructions there.

Acknowledgements

Thanks to everyone who registered and beta-tested Autothenticate.

Thanks to Sam Barone, Alex Thompson, Josh Horwich, Andy Stadler, Joe Britt and Michele Meyer for technical help and moral support.

Thanks to Autothenticate beta testers and registered users, and Douglas Godfrey in particular for reporting some tough crashing bugs.

Also thanks to Brian Stern for his INIT Writing FAQ, and, while I'm at it, thanks to everyone at Metrowerks.

Distribution

The Autothenticate distribution package may be distributed in any way as long as you do not charge for it, beyond reasonable download charges on systems that charge for connect time.

If you wish to distribute the Autothenticate package on disk or CD-ROM, please contact the author.

Technical Issues

Autothenticate is a very small, simple extension. It patches only two traps, installs a GetNextEvent filter (which is very similar to a trap patch) and almost never changes the natural flow of your Mac's system software. It uses only 20K of system memory.

Contact Information

To register, use the Register Autothenticate program that came with the distribution. To register, use the Register Autothenticate program that came with the distribution, or go to http://order.kagi.com/?49 and follow the instructions there.

Please send questions (registered users only please) or bug reports (all users) to:

Richard Kiss
kiss@kagi.com

Please include your e-mail address with all correspondence.

To ensure you have the latest version of Autothenticate, please visit my web site: http://www.ogopogo.net

Richard Kiss ("the author") hereby disclaims all warranties relating to this software, whether express or implied, including without limitation any implied warranties of merchantability or fitness for a particular purpose. The author will not be liable for any special, incidental, consequential, indirect or similar damages due to loss of data or any other reason, even if the author or an agent of his has been advised of the possibility of such damages. In no event shall the author be liable for any damages, regardless of the form of the claim. The person using the software bears all risk as to the quality and performance of the software.