
Bye Bye Passwords - tylerg
http://blog.shopittome.com/2014/05/29/bye-bye-passwords/
======
bjackman
So this is essentially delegating authentication to the user's Email service.
Delegating authentication seems like a good idea: fewer passwords to forget
and more conveniene. So why not delegate to a proper authentication service
like OpenID?

(Seriously, that's a question: Why don't more people use OpenID? Is there
something wrong with it?)

[http://openid.net/get-an-openid/what-is-openid/](http://openid.net/get-an-
openid/what-is-openid/)

~~~
dragonwriter
> So this is essentially delegating authentication to the user's Email
> service. Delegating authentication seems like a good idea: fewer passwords
> to forget and more conveniene. So why not delegate to a proper
> authentication service like OpenID?

Because the user is more likely to have email than OpenID, so delegating to an
option of one or the other is more complex, and delegating to only the latter
is limiting your market.

~~~
bjackman
But either way the user has to sign up to something. When you delegate to
Email you still have to initially create an account with the site's
specialised authentication system. You'd just replace that process with
creating an OpenID account.

But yeah, I guess saying "now go to this 3rd party website and create an
OpenID account" is pretty ugly. I wonder if it's possible to have your own
"sign up" page that's a proxy for creating an OpenID with a 3rd party
provider?

~~~
giovannibajo1
From an UX standpoint, the problem with OpenID is that users are forced to
remember and type URLs as usernames.

People are likely to remember their email if they have one, but URLs are
disappearing from user interfaces (see Chrome, Safari, Mobile Safari, etc.).

------
nostromo
It seems taking users out of your app / off your website to sign up or
purchase something would be detrimental to conversion rates.

(I don't know about you, but I can't think of anything more distracting than
my email inbox.)

I know it's not popular on HN, but we already have a simple method that
removes passwords: OAuth.

~~~
eli
How would I go about replacing passwords with OAuth on my site? You mean like
a "Login with Facebook" button?

------
benferris
Although they say it is a "one time password" which is smart, email is still
assumed to be not secure. Like for example, you wouldn't want to send your SSN
through email because servers along the way can possibly sniff it. So, while
it seems safe in most situations to do this, I feel that it probably isn't
100% safe but maybe good enough for most people.

What is the risk though? If someone did steal your one time link and get into
the app could you somehow prevent them from continuing to access it? And what
could they do in the app -- change your address and buy stuff on your credit
card and send it to themselves? Feels like there is just some tiny level of
risk here that probably wouldn't happen... but I wouldn't feel completely safe
with this.

~~~
RaphiePS
The way I see it, every single app that uses email for password resets
(usually by emailing a link, sometimes a code) already relies on the security
of email.

Even if you have the most secure password in the world, if an attacker
compromises your email account, they can simply send a password reset email.
It's the weakest link.

------
eddiezane
A friend of mine has been very passionate about the idea of getting rid of
passwords and built a proof of concept version of this a few months ago [0].
He also gave a very good talk about it at a JavaScript meet up [1].

[0] [https://github.com/handshakejs](https://github.com/handshakejs) [1]
[http://vimeo.com/90883185](http://vimeo.com/90883185)

~~~
dja-io
HandshakeJS rocks. I'm using it on my app I just launched: kadre.co

------
jd007
They talk about Heartbleed and other attacks, but fail to mention the security
of emails, especially during transit?

~~~
tootie
Yeah, it's assuming your email provider has very strong security. If you're
using gmail, yahoo, ms or any reputable provider, it probably is pretty
secure.

------
nly
I've always thought waiting for a damn registration email was the worst part
of the typical sign-up process. Not sure this saves much user frustration.

Drop the email field altogether and you might have something refreshing.

~~~
cordite
And sometimes with managed or self hosted email services on custom domain
names, it takes a ridiculously long time.

I think my attention time out for this would be 30-45 seconds.

------
herghost
I think this is a positive move. My gmail for instance is one of the better-
protected services I use: I have a ludicrous password and 2FA. The reset
options only include dialling my mobile (not voicemail) or emailing another
account (which isn't otherwise associated with me to anyone who knows me),
which is also protected by a strong password.

Why not allow Apps to not use passwords in this case?

In addition (for me) the app would be on my mobile, which is passcode
protected (and fingerprint) _. Beyond that security you have full access to my
email anyway, so what 's any additional app password going to provide?

_since you need the device (which you're presumably steeling) AND the passcode
for it, does this make it 2FA? I think I've read Apple claim as much in a Data
Protection document, but I wonder whether you can really count the device
you're trying to log in TO as one of the Factors?

------
xerophtye
I have a question. Why not SMS? Is it because sending an SMS globally is more
of a hassle then sending email? Or that with email we assume the entire
channel has some protection layer to it, where as in SMS the security is due
to the fact that we're using an entirely different channel? Simply
intercepting an SMS (if you actually manage to do that) won't be enough as you
would also need the username. In the email approach, don't most places use
your email as a username??

I am just talking generally, not specific to this app

------
calineczka
I don't know who started this, but I've noticed recently after installing
Slack app on Android that they went the same way. I found it very convenient.
After all anyone can reset my password using email so why bother creating it
all? Just send me the auth token as link in email. The app registers itself to
open on such link and it works nicely.

------
thrush
I like the idea. It's essentially SFA, Single Factor Authentication, opposed
to MFA, but chose the "what you have" aka an email factor rather than "what
you know" aka a password.

From a compliance standpoint (ignoring security feature), would this be
allowed?

From a security standpoint, not sure this is any better/worse than social
login or receiving an SMS. Most of the time you have all these portals
(including email) already authenticated so it doesn't really make a difference
which you use. The nicety is that you can basically track your logins through
email which is pretty neat.

From a usability standpoint, I feel like an SMS would make more sense? I turn
off push notifications for email because I receive too many, but I'd be able
to read the number from the text and type it in right away (assuming that
you'd use standard MFA tokens). Maybe the difference is more between using a
6-digit PIN instead of a link than the source it's received.

------
EGreg
I was going to post this comment on their page:

"Why do you need people's name and email? The above screenshot looks like an
APP. You already have a way to reach them: in-app notifications. And why do
you need their name until they purchase something?"

But ironically, the resulting page said "Please enter correct password. Spam
free wordpress." LOL

~~~
jasonlotito
> You already have a way to reach them: in-app notifications.

People have to opt-in to in-app notifications. If they press no intentionally
or accidentally, recovery is far, far more difficult. Email is much easier and
more controllable than notifications.

~~~
evv
> Email is much easier and more controllable than notifications.

True, but not for the user. I would much rather accept notifications than type
in my email address. I avoid the risk of getting spammed, don't need to decide
what email to use, don't need to decide if I trust the developer. And with app
notifications, the ability to unsubscribe is much more consistent and
reliable.

------
keyle
This is interesting and somewhat confronting to me. Can we just get rid of
passwords that simple?

Do we end up with a system that's of equal or higher safety?

Agreed that convenience is definitely up, since we have email clients built
into everything.

~~~
matthewbauer
I don't think this is a great solution for highly sensitive information like
banking - most people have lots of different devices that receive their email
and just one "weak" link could give malicious access.

That being said, for sites this that are more concerned with "verification"
than "authentication" this seems like a viable approach.

------
chewxy
Heh. Fork the Cookbook does this - with a 1 hour auto log out. It didn't go
too well with our users.

What I learned from FtC is that people are so ingrained with the idea of
passwords that single factor auth doesn't really fly.

------
jlt
To me, this just seems a little silly. I can't imagine how difficult it will
be to maintain a persistent, user-friendly account with this method. An
emailed link every time a user wants to log in? Just plain silly.

Passwords are still widely used, and for good reason. I partially accept your
point of passwords not being very secure, but why not just spend some time
implementing a 2FA login method, instead of this?

------
dangoldin
I wrote a similar blog post a while ago advocating this approach. It was
inspired by MixPanel sending me a login link alongside a forgot password link
- [http://dangoldin.com/2014/05/20/logging-in-through-your-
inbo...](http://dangoldin.com/2014/05/20/logging-in-through-your-inbox/)

------
muppetman
Well, bye bye users. Greylisting is so common these days - emails don't arrive
straight way. Who wants to wait 5 minutes (assuming your mailserver tries that
often on a greylist) to login to an app?

Appreciate what they're trying to do, but I think this is a bad idea.

edit: As tootie points out, it would be possible to use a "whitelisted"
company.

~~~
tootie
This can be mitigated by paying a mass mailing company that's on all the
whitelists. Of course, the makes it sort of a racket, but at least it's an
option.

~~~
muppetman
That's a good point - yes - I hadn't thought of that.

------
delackner
I havent followed too closely the state of secure email delivery, but I would
guess that even today a huge percentage of people both send and receive email
in clear text over easily intercepted links.

this option only makes sense if email delivery can be guaranteed to be secure,
and the recipient has non-password-based (two factor) auth.

~~~
IgorPartola
Well, currently almost all password resets work over email. If you can read my
email, you can reset all passwords for my bank accounts, shopping site
accounts, etc. this solution is no worse than others.

~~~
delackner
Yes, this is why I wish we could disable password reset emails as an option. I
seem to remember disabling that in gmail when I activated two-factor...

------
calebio
Unless I'm misunderstanding something, if someone has access to my email they
can just login right?

That doesn't sound very safe. Does this use some form of OTP that's passed via
a special URL that only works with the mobile app? If so that sounds better
than what I'm thinking.

~~~
ori_b
I don't know how it works, but I _hope_ it generates a private key/public key
pair, and uploads the public key. Kind of like SSH authentication.

~~~
ShaneOG
I would be very surprised if this is how it works

~~~
solomone
me too.. it's more likely to be a token that's cookied and sent over SSL per
api request. Same token that would get generated if they auth'ed via password.

------
ultimatedelman
I agree that on a mobile device you should only have to log in once and be
remembered forever (if someone compromises your phone, you have bigger
issues), but I think that requiring a password (or OAuth, etc) on a non-mobile
experience is a pretty good idea.

------
Istof
Couldn't a secret URL with unique id be generated the first time you use a
website that requires login (bookmarks would preserve passwords)? I guess you
could make it long enough to prevent over-the-shoulder attacks and of course
you would need HTTPS.

------
alexsmolen
Shameless plug - I wrote a Rails engine for this type of authentication
mechanism called NoPassword - see
[https://github.com/alsmola/nopassword](https://github.com/alsmola/nopassword)

------
cevaris
Wouldnt the unique identifier or Auth token be the password? Sure it is more
convenient for the User not having to remember there password, but it is not
necessarily more secure.

~~~
jamese
I think ideally it would be a temporary auth token, only used to get the
session created.

------
nell
Good to see a concept ([https://medium.com/cyber-
security/9ed56d483eb](https://medium.com/cyber-security/9ed56d483eb)) at work.

------
Raphael
Remind me again how sending a credential in plain text by email is secure.

------
mathattack
I think passwords should be gotten rid of. Could this be pulled off on a
website rather than a phone? My sense is that it would be too dangerous.

------
lhgaghl
"bye bye passwords, hello blocking IP addresses from viewing our blog"?

