7163History of Email-Only Auth
- May 14, 2014https://medium.com/p/6b33b0065f74
Intertwined problems: security and usability.
Passwords are inherently a point of fragility. They are a natural
target to attack. Only strong passwords resist attack. Most passwords
Usability problems lead to weak passwords. The string of characters
that goes into a password is intentionally hostile. It is the
bristling razor wire, the war paint, the teeth-bared grimace. But with
passwords, unlike physical defenses, the grimace faces back on its
wearer as well as forward to the would-be attacker. The more difficult
a password is to attack, the more difficult it is to wield.
Attack is uncertain. It may never come. If it comes, even a weak
password may be good enough — how can the bearer really know until
they have a problem? If the attack is successful, it may not cause
discomfort for the victim. If it causes discomfort, the victim can
deal with it then. A strong password is YAGNI: You Aren’t Gonna Need
Better to wait, because prevention causes immediate pain on every
sign-in and every account creation. Remembering a unique secure
password is not possible. Looking them up on paper or in a file is a
burden. Why bother, if an account holder can easily alleviate the
burden by entering an insecure password?
It‘s a cycle: users solve usability problems by sacrificing security,
and developers solve security problems by sacrificing usability.
Passwordless systems break the cycle.
Login & Passwords (Luke Wroblewski, January 30, 2012):
Despite being nearly ubiquitous online, username and password login
screens are wrought with usability and security issues. The average
person has between 7 and 25 accounts that they log into every day.
People report authenticating about 15 times in a typical work day on
average. 86% of U.S. companies use password authentication. 70% of
people do not use a unique password for each Web site.
Is it time for password-less login? (Ben Brown, Jul 25, 2012):
No more secrets. I think an even better solution would be to remove
the password completely, allowing users to login with only an email
address. Each time a user needs to login, they enter their email
address and receive a login link via email.
Anecdotal evidence of production implementation (LaunchRock, per Ben
Brown, Jul 29, 2012):
I saw an implementation of a similar login system already in practice
at LaunchRock.com. To create an account and get started, all you need
to do is enter an email address. Once you do, you’re logged in and
ready to go. You’re only required to set a password — via a password
reset tool — if you somehow get logged out.
(When I tried out the LaunchRock account creation page today, May 13,
2014, password was a required field).
github.com/alsmola/nopassword (Alex Smolen, June 30, 2013):
NoPassword is a simple authentication and session engine that removes
the need for passwords. Instead, it uses tokens sent to an email
address, similar to most forgot password functionality. These tokens
created long-lived sessions that can be tracked and revoked easily.
Passwordless Products (Andrew Benton, January 28, 2014):
if password reuse is valuable to attackers, but getting people to stop
is difficult and adoption of password tools is slow, perhaps there is
an alternative solution staring us straight in the face. Do away with
passwords. Maybe we don’t need them. Instead of letting users choose
passwords, we could authenticate users by giving them short-lived
one-time-use tokens delivered over a secure channel that they control.
Passwords are Obsolete (Justin Balthorp, April 12, 2014):
For most websites, the only time you even need to know your password
is when you log in for the first time on a new device. So what do you
do in that case? That’s what the “Forgot your password?” link is for.
You’re not even lying, you did forget your password, on purpose.
Clicking this link sends you an email with a temporary URL that lets
you reset your password; enter a new random string for this password,
and remember it only long enough to log in on the new device. Using
this strategy, there is only one password you actually need to
remember: your email password.