Loading ...
Sorry, an error occurred while loading the content.

7163History of Email-Only Auth

Expand Messages
  • Lucas Gonze
    May 14, 2014

      Intertwined problems: security and usability.

      Passwords are inherently a point of fragility. They are a natural
      target to attack. Only strong passwords resist attack. Most passwords
      are weak.

      Usability problems lead to weak passwords. The string of characters
      that goes into a password is intentionally hostile. It is the
      bristling razor wire, the war paint, the teeth-bared grimace. But with
      passwords, unlike physical defenses, the grimace faces back on its
      wearer as well as forward to the would-be attacker. The more difficult
      a password is to attack, the more difficult it is to wield.

      Attack is uncertain. It may never come. If it comes, even a weak
      password may be good enough — how can the bearer really know until
      they have a problem? If the attack is successful, it may not cause
      discomfort for the victim. If it causes discomfort, the victim can
      deal with it then. A strong password is YAGNI: You Aren’t Gonna Need

      Better to wait, because prevention causes immediate pain on every
      sign-in and every account creation. Remembering a unique secure
      password is not possible. Looking them up on paper or in a file is a
      burden. Why bother, if an account holder can easily alleviate the
      burden by entering an insecure password?

      It‘s a cycle: users solve usability problems by sacrificing security,
      and developers solve security problems by sacrificing usability.
      Passwordless systems break the cycle.


      Login & Passwords (Luke Wroblewski, January 30, 2012):

      Despite being nearly ubiquitous online, username and password login
      screens are wrought with usability and security issues. The average
      person has between 7 and 25 accounts that they log into every day.
      People report authenticating about 15 times in a typical work day on
      average. 86% of U.S. companies use password authentication. 70% of
      people do not use a unique password for each Web site.

      Is it time for password-less login? (Ben Brown, Jul 25, 2012):

      No more secrets. I think an even better solution would be to remove
      the password completely, allowing users to login with only an email
      address. Each time a user needs to login, they enter their email
      address and receive a login link via email.


      Anecdotal evidence of production implementation (LaunchRock, per Ben
      Brown, Jul 29, 2012):

      I saw an implementation of a similar login system already in practice
      at LaunchRock.com. To create an account and get started, all you need
      to do is enter an email address. Once you do, you’re logged in and
      ready to go. You’re only required to set a password — via a password
      reset tool — if you somehow get logged out.

      (When I tried out the LaunchRock account creation page today, May 13,
      2014, password was a required field).


      github.com/alsmola/nopassword (Alex Smolen, June 30, 2013):

      NoPassword is a simple authentication and session engine that removes
      the need for passwords. Instead, it uses tokens sent to an email
      address, similar to most forgot password functionality. These tokens
      created long-lived sessions that can be tracked and revoked easily.


      Passwordless Products (Andrew Benton, January 28, 2014):

      if password reuse is valuable to attackers, but getting people to stop
      is difficult and adoption of password tools is slow, perhaps there is
      an alternative solution staring us straight in the face. Do away with
      passwords. Maybe we don’t need them. Instead of letting users choose
      passwords, we could authenticate users by giving them short-lived
      one-time-use tokens delivered over a secure channel that they control.


      Passwords are Obsolete (Justin Balthorp, April 12, 2014):

      For most websites, the only time you even need to know your password
      is when you log in for the first time on a new device. So what do you
      do in that case? That’s what the “Forgot your password?” link is for.
      You’re not even lying, you did forget your password, on purpose.
      Clicking this link sends you an email with a temporary URL that lets
      you reset your password; enter a new random string for this password,
      and remember it only long enough to log in on the new device. Using
      this strategy, there is only one password you actually need to
      remember: your email password.