

Ask HN: what do you think about "signin without logging in" for your startup? - hoodoof

Trying to get people to sign in seems to be a big obstacle to getting user takeup.<p>Do you think it is an acceptable idea to allow people to sign in by sending them a link with a random string linked to that user? i.e. if someone has that link then they are trusted to log in.  What do you think?
======
nwenzel
I hate signing it when I'm first exploring an app. See DJ Patil's talks on
building data driven apps. Our (user + application) first interaction is like
a first date. I'm not giving you access to my Facebook/Twitter/LinkedIn/Google
account on our first date.

I'm sure there are levels of access that can be granted to slowly introduce
users to your app.

------
Lasher
Do you have a way to build in guest accounts that will expire after X hours /
days?

Hearing 'sign in without logging in' makes me cringe, but I can see why you
would want to do this. I hear what Joachim said that it really is no worse
that being able to recover password via email, but it seems there might be
more opportunity for a single email to go astray (or accidentally forwarded)
than an entire account to be hijacked.

------
JoachimSchipper
Security-wise, this is not worse than having a "recover password" link that,
given an e-mail, will send you your username and a new random password (and
much better than such a link that sends you your chosen password.) For bonus
pointw, implement HTTPS and SMTP STARTTLS.

I expect that some people won't be too happy about having to dig the link out
of their mail, but that's fixable by allowing user/password as well.

------
JoeAltmaier
Its capability-style authentication. If the capability gets loose, so does the
authentication.

Usually capabilities have a time-limit and sometimes a blacklist.

