
Ask HN: Passwordless logins with email / phone based authentication, yay or nay? - nickjj
I&#x27;m going to be developing a new web app soon and I&#x27;m strongly considering not having passwords at all.<p>Just email or phone based login links that set a ~1 year cookie so you don&#x27;t have to worry about it on a day to day basis. It&#x27;s the pattern where you get emailed a link, and when you click the link, it sets a JWT with a long expiration time.<p>Would you be offended by this, or feel good about it?<p>The only real use case I can think of for not doing this is some people have cookies disabled which means you&#x27;d have to login by email every time you start a session, but surely people in that position know what they are getting into it?<p>With password based logins, the lack of cookies is less of an issue because a password manager would fill out the fields, so it would be very fast to get back in.<p>On the other hand, the upsides for passwordless logins are pretty huge for most end users.<p>P.S., My target audience for this project would be developers and people who are generally into computers and the internet.
======
mtmail
I've built something like this 10 years ago for a search engine. You were able
to save searches and results. Sign in just had the email field which would
send you a session link, the expiry was 30 days after last action I think. The
average user didn't mind, but also didn't always understand. Users tried to
use it at home and workplace so we needed to allow multiple sessions. Users
wanted to share their results and I guess within a family users were usually
sending each other the username&password. After all it was an optional
feature, used by less than 1% of the users so we couldn't tell if adoption
would've been different if we had "normal" passwords. Later we tried Facebook
login and got enough hate-mail so stop the whole feature.

Personally I don't mind passwords, that's what password managers are for.

~~~
nickjj
For my use case, account sharing isn't something anyone would want to do, and
I totally agree about not even thinking about using social logins (I hate them
too).

The multiple sessions is a very good point that I didn't think about.

I think to properly implement passwordless logins you would end up still
needing a DB lookup on each login because you would need a way to invalidate /
blacklist tokens on the server side (for disabling accounts on demand).

So with that said, multiple sessions is likely a solved problem by just seeing
if a token is already set for that user, and if it is, write that one back to
their other device's cookies instead of generating a new one. Seems fool
proof?

My reason for wanting to ditch passwords is mainly to protect users. I've
coded an end to end password based login solution in like 4 different
frameworks about a dozen times so I'm cool with doing it either way, but I do
really think passwordless logins have real advantages outside of just
eliminating crappy passwords.

------
borplk
> Would you be offended by this

Yes

> some people have cookies disabled

This is a myth. Anyone disabling cookies knows what they are signing up for.

Guess what if you "disable HTML" the web is not going to work either.

~~~
nickjj
What turns you off from the idea btw?

~~~
borplk
It's presumptuous.

------
cimmanom
Depends on the use case. I'd never want something like that for a bank. But HN
or Reddit... why not?

------
Tomte
I first saw something like that at The Magazine and instantly loved it.

No idea why it didn‘t spread. It seems such an elegant solution.

------
goblins
Personally I wouldnt bother with this since I delete cookies as soon as I exit
the browser.

I've a password manager for logins.

