

E-mail Sign On - larsu
http://www.peej.co.uk/articles/email-sign-on.html

======
mooism2
1\. enter e-mail address

2\. go to e-mail

3\. refresh

4\. refresh

5\. count to ten... refresh again

6\. maybe it's in my spam folder?.. no...

7\. final refresh

8\. give up in disgust

 _minutes pass_

9\. e-mail finally arrives in inbox; delete it

\----

I effectively use this method to log in to Amazon (I have a habit of always
changing my Amazon password to something so secure I can't remember it for
more than a minute at a time), and it makes me less likely to log in (I want
to add this book to my wishlist, but I have to log in first? Maybe I won't
bother then).

To be fair Amazon password reset e-mails are _usually_ in my inbox by the time
I switch to my e-mail, but some sites are slower.

~~~
BoppreH
It's been some time since I saw an email take more than 5 seconds to arrive.

~~~
kristaps
Might not happen often, but it's a major bummer when it does.

An existing example: when you recover a password for some service you do it
because you want to log in NOW, not some time next week.

------
jnorthrop
Its a clever idea but I would think it would be frustratingly slow to login
via email. I wouldn't be surprised if it took 20 seconds or more to complete
the entire transaction -- that is a long time for a relatively simple
operation.

~~~
jasonkester
As opposed to OpenID, which takes that much time by design. Or more, since
chances are you don't know your OpenID and therefore have to look it up in
your email.

------
rahoulb
Add in an "auth-request" header onto the email, have a plugin for your mail
client that looks for the header - and if found hides the mail and does the
auth in the background for you - and you then have seamless integration
(thanks to <http://news.ycombinator.com/user?id=wlll>)

~~~
BoppreH
Enter page, type email, hit enter, wait 5-10 seconds, "You are logged in."

Apparently simple to implement for both customer and provider and takes alway
all the headaches from account registering.

I would pay for that.

------
owkaye
One of my clients has so many web-based requests that he asked me to build a
better system, and this system is basically what I came up with.

A visitor wants to use one of our request forms so he enters his email address
and clicks Submit. The next page says "Check your inbox, spam and junk mail
boxes for the email we just sent you, then click the link to complete our
request form."

Nearly all of them click the link. SPAM and bogus requests have dropped to
zero.

Once in a while we get a complaint stating that they never received the
confirmation email, but we know they were all sent because we BCC copies to a
special gmail account for archival purposes.

The client is happy.

No, this is not a login system but I'm going to implement it on my new website
as a login system because it is MUCH simpler than dealing with passwords ...
and there is far less resistance to this system than some of you seem to be
complaining about.

The fact is, people really dislike dealing with passwords and this system gets
rid of them.

------
DanielRibeiro
... and some call it insecure. If you don't take care of Man-in-the-middle
attacks, which is one of the most basic attacks, you simply are not secure on
the internet (where things like XSS and cross site forgery are for more
common, and can render the most complicated authentication mechanisms
useless). But for starting thigns up, it can be just fine.

~~~
Tichy
I guess you would have to ad a secret to the page you want to login to, that
said page could display, and another one it could ask you for.

Hm, might become too inconvenient. The only advantage would be not having to
remember the password.

This makes me think the traditional password recovery mechanism should also
work that way. You should have to enter your new password first, then get the
confirmation link to save it.

------
pqs
RedHat's Mugshot did this in 2007. I really liked it.
[http://bits.quintanasegui.com/2007/04/05/login-without-a-
pas...](http://bits.quintanasegui.com/2007/04/05/login-without-a-password/)

------
eberfreitas
I make this at my website [ <http://www.tanlup.com/users/login> ], but you
have a password as well. In general, people will use this method if they can't
remember their password. I already thought about making this the default sing
on method to a website (it works great for e-commerce sites without user
registration), but e-mail issues (delays, spam) and the fact that not everyone
lives on their inbos (like me) changed my mind.

------
sblom
There's a shipped project that ties this in to OpenID. <http://emailtoid.net>

Some of the OpenID crowd were aware of it at the time, but it hasn't really
caught on. It's kinda fun to use it as an OpenID provider to log in to itself.
Very meta and clean.

------
PhrosTT
If I'm on a work computer I can't access my email.

If I'm on an untrusted (potentially keylogging) computer, I don't want to type
my email password - but I may not care about the security of my Pandora
password.

I think the process is defaulting every site to the same trust level as your
email.

------
marquis
This would frustrate me no-end. I'm not always at my own computer, and I
change my password regularly to one to complex to remember. I don't always
want to use my phone browser to login to sites I need access to.

------
STHayden
I had the exact same idea the other day. Good summary. Obviously not the best
solution for all sites, but I think smaller sites might benefit from this. I'd
love to see a basic plugin/library built around this.

------
findm
I hate the fact that I have to "validate" my email address with a lot of web
app services when you first sign up.Imagine doing that every time you want to
log on.

Definitely adds more resistance to the flow.

------
oinopion
Humble bundle did this.

------
mebassett
how 'bout log in via sms? Enter your mobile number. it texts you a code. input
code. logged in.

------
fezzl
Fingerprints?

