

Show HN: No More Passwords, Just Email - brent_noorda
https://nomorepasswordsjustemail.meteor.com/

======
lazerwalker
As a power user, it's easier for me to invoke my password manager than it is
to open up my mail client and copy/paste in a one-time key.

~~~
natch
I've been trying a password manager. How do you get around the fact that it
requires you to put in your master password all the time? You just set it to
not require that, or have a really long timeout? Or have a super easy to type
master password?

~~~
cschneid
I have a long sentence as my passphrase. 1password will stay unlocked for ~30
minutes (or when I close my computer), so I type it a few times a day. I've
gotten very good at typing it, and can crank it out quickly.

It's much much faster than opening my email, and waiting for SMTP & Gmail to
get its act together.

------
daleharvey
related: [https://login.persona.org/](https://login.persona.org/)

I will be a very happy person when / if I see a persona login page on more
sites

~~~
llimllib
The "How it works" page gives exactly zero information about how it works.

~~~
DanielStraight
This is more informative:

[https://developer.mozilla.org/en-
US/Persona/Protocol_Overvie...](https://developer.mozilla.org/en-
US/Persona/Protocol_Overview?redirectlocale=en-
US&redirectslug=Persona%2FProtocol_Overview)

------
wikwocket
I applaud any effort to fix the "password problem," but isn't this
functionally equivalent to just using the "Forgot my password, email me a
reset code" link every time you want to log in?

~~~
toomuchtodo
So instead of replying on $WebAppOfTheWeak to lose my password (I'm looking
right at you Adobe), I can rely on the two factor auth of my Gmail account for
security.

I'm okay with this.

~~~
subsection1h
> I can rely on the two factor auth of my Gmail account for security.

Does Gmail now support 2FA? The last time I checked, Gmail supported Google's
2-Step Verification. 2SV includes backup codes, which cause 2SV to be 1FA:

Password + Backup Codes = Something You Know + Something You Know = 1FA

------
Ryoku
Then a new and huge list of security problems arises when you have to bother
the user with getting a new code every time if they have the sense of closing
their browser and cleaning their cookies each time they close their browser
(which could be as often as whenever they leave their computer); the fact that
loosing control of a single email makes you lose control to the account in
every site using this system, which beats the idea since that email is most
likely password protected anyway; etc, etc.

In a nutshell: "In most cases you won't need to do this often" is a HUGE
fallacy. It depends on the security rules you work/live by. Plus, it would
make it really annoying to use if on top you're using TOR.

Yes, passwords need to be fixed. They are weak, problematic and a security
cheddar cheese. It is why we are now implementing two factor authentication.
Changing the "fixed password" strategy to a "random and time limited password"
strategy isn't exactly solving more issues than it raises. Again, from a
security-wise stand point.

May be if this was implemented with something different than your email. Like,
for example, a bank tokens or cell phone verifications... which, again, are
part of a two factor authentication because by themselves they would be too
easy to break.

Think about the following scenario: You use X site with this email auth system
and, for example, Thunderbird. Stand up and go to the bathroom or a meeting or
whatever without locking your computer. Presto! I won't even need to guess a
password and get access. Of course getting access to X site would be the least
of your worries in that example, but it illustrates the point I'm trying to
make.

~~~
brent_noorda
I don't think any security mechanism works if you walk away from your computer
and leave the programs running (exception something that relies on a NFC on
your wrist). For this reason I don't think your scenarious makes this scheme
any less secure than what is use on standard sites. Maybe it's even more
secure since even if they get access briefly, they cannot learn your password
(since you don't have one), and so they cannot later log back on from a
different computer.

~~~
Ryoku
It was just an example. My point is, by relaying all entrance control to an
email, you are giving it master password access. The only thing you are doing
is relaying the security issues to wherever that email is hosted; most of the
times, a free and third party service over which you have no control. No, it
is not more secure to keep your car, home and security box keys together.

You are not increasing security, whatsoever. You are setting all the security
in an email service, which we already know are not the most secure services at
this moment.

May be, such login can be applied inside a company's network, where you have
control over the security of the servers, certificates, network encryption,
etc.

Now if you think about it from a social engineering perspective. It is much
easier to get access to a single email account than to every account you own.
And about persistence of access... There's this thing called email forwarder.
If I get access to your email, I would create a forwarder for all the email
you receive to one I control; chances are you won't notice it in a long time.

------
jere
Is this any better than a link that logs you in automatically? A link would be
easier and more secure. I've actually been thinking of that as a super simple
login method lately, but I don't know if people would use it.

As a proof of concept, I couldn't actually get your site to work because by
the time I understood the UI flow, it was throwing an alert saying "Error with
that email address". Also, this goes to spam for me... just to let you know.

~~~
brent_noorda
No, it's not better than a link that logs you in automatically, just
different. I don't think a 5-digit code is hard to remember for a few seconds,
so I like this one. Sometimes the auto-links bother me because they might open
a different browser than I want, but that's only a minor issue.

I'm thinking of adding a log-in link to the email, in addition to the 5-digit
code, for people that prefer that method. That way they'd have both options in
the same email.

~~~
jere
Cool! I think that's a great idea.

Also, I really would try to smooth out the login flow even for a POC. If I
accidentally enter an old code (even if it's 5 minutes) it won't let me in.
That seems OK. However, what happens next is I copy the correct/latest code,
but the UI asks for my email again to send another code. When I paste in the
code I have copied, it's invalid yet again.

~~~
brent_noorda
I agree that can be odd. I made this decision to defeat bots that may be
trying to fake their way in. Since it's only a 5-digit code it wouldn't take a
bot long to guess the right code. By invaliding the code the first time a
wrong one is used I think it makes bots very unlikely to guess correctly. I
think. I hope.

------
tedunangst
So now I have to type my email password into my friend's insecure computer
every time I want to use your site? I think I'll be using your site a lot
less.

------
mschuster91
Interesting concept - but what happens if you lose control of your email
account (as a user)?

Imagine e.g. problems with your DNS (self-hosted and you forgot to renew the
domain), outages of your mail provider, or the worst case (for the service
provider): your outbound mail server is placed on a blacklist.

This way your entire user management system goes up in smoke without ANY way
for you to fix it!

~~~
cbhl
"Send forgot password link to email account on file" is fairly common; if the
user loses control of their email (e.g. to an attacker that got access to
their password and then immediately changed it) then the user is already
screwed in many ways. (I don't think this is ideal, but it seems to be the
norm.)

Using email login links instead of passwords doesn't seem especially worse
wrt. security than "industry standards".

~~~
deong
Except currently, I know most of my passwords. Losing my email access would
suck on so many levels I don't know where to start, but at least I can still
log into my bank/credit card sites/etc. to start mitigating the potential
damage. If everyone went to a system like this, losing your email means losing
access to everything you don't have an active cookie for, instantly and with
no ability to recover.

------
alexsmolen
I built and open-sourced something like this a while ago:
[http://nopassword.alexsmolen.com](http://nopassword.alexsmolen.com)

HN thread here:
[https://news.ycombinator.com/item?id=4570600](https://news.ycombinator.com/item?id=4570600)

It's a great concept, but like any new authentication mechanism there's a
usability and security cost due to the lack of familiarity.

Plenty of authentication mechanisms are "better" than passwords, but passwords
are well-understood and flexible, which is a huge advantage for almost all
sites.

------
kijeda
For me, a big concern is propagation delay in the email. It sends a token that
is valid for only 5 minutes, but with greylisting performed by the spam-
filtering machinations in my email provider, there is a good chance I will not
get that email within 5 minutes. Trying to send a second one will probably
result in some kind of exponential back off penalty also.

For that reason alone I don't see how only using email verification as a low-
friction way to log in makes sense.

------
dspillett
Ooh, no.

I really don't consider email nearly reliable enough for any important logins.

It might work if I have a password in my password manager as a fallback, but
then just using the password manager would be the way to go.

Edit: Actually this could work as the fallback for if I for some reason don't
have access to the password manager, so I might use it but not for the
intended purpose.

------
this_user
The big problem with something like this is that it introduces an attack
vector that could compromise all of its users accounts at once and thus making
it a major target for attackers (and spy angencies). I don't see any solution
for this in a world where even companies with extensive security know-how like
Google are successfully attacked.

~~~
StavrosK
What, the email account? If someone has access to your email, it's game over
right now anyway.

That said, please use Mozilla Persona instead.

~~~
Ryoku
Compromising one email account is easier than compromising several
credentials.

~~~
StavrosK
...I agree? It seems like you're saying that compromising your email account
right now won't allow anyone access to all the sites you've signed up with it,
which is pretty much incorrect.

~~~
Ryoku
Yes. But it also, I think, makes it easier to follow certain attack patterns
that are already known and commonly used.

For example, setting an email forwarder to an account an attacker controls in
most cases won't even be noticed. I think it opens more attack vectors than
the good it could do to have this kind of integration rather than just a
password manager.

Giving more control to a single manager (in this case an email account) also
means you will have to set greater security standards for it. For example, are
you going to type your password (which also controls all your accounts) to
your friend's, school's, airport's, etc's computer that could be infected?

Passwords are insecure? Of course they are insecure. That's why we are trying
to implement two factor authentication. But having 1 account with 2 factor
auth controlling 20 accounts with 1 factor auth isn't exactly helping. At all.

~~~
StavrosK
> For example, setting an email forwarder to an account an attacker controls
> in most cases won't even be noticed.

Setting a forwarder where? You can do that now too. It's exactly as safe as
what we have now.

> I think it opens more attack vectors than the good it could do to have this
> kind of integration rather than just a password manager.

I disagree. As long as you have password resets sent by email, whoever has
access to your email has access to your accounts.

> Giving more control to a single manager (in this case an email account) also
> means you will have to set greater security standards for it.

Again, that's _exactly what everyone already does_.

> For example, are you going to type your password (which also controls all
> your accounts) to your friend's, school's, airport's, etc's computer that
> could be infected?

No, I don't log in to my email from anywhere that's not my device, and it has
2fa enabled.

> having 1 account with 2 factor auth controlling 20 accounts with 1 factor
> auth isn't exactly helping. At all.

How is it not helping? Now you have all your accounts requiring two-factor
auth to log in, rather than just some of them. You also only have one server
to secure, which will presumably be run by people whose sole job is to secure
that server.

~~~
Ryoku
I'm glad you have a portable device which you can use to access your email.
Not every user does. But you're right. Please use and implement candy security
structures.

~~~
StavrosK
I feel like you didn't read anything I've written. You haven't even addressed
my main point, you just came in here and spewed FUD about this solution
without really discussing anything.

~~~
Ryoku
Well, I think we are talking about two completely different points and, per
your past response, that nothing I've said really makes sense to you. Of
course I think the solution is useful from a UX perspective, it's awesome. But
from a security point of view you are leaving all the security out in a single
layer and whenever that layer (single email address) fails, then there's
nothing left.

>How is it not helping? Now you have all your accounts requiring two-factor
auth to log in, rather than just some of them. You also only have one server
to secure, which will presumably be run by people whose sole job is to secure
that server.

Yes, you are left with only one server to secure, and yes it is most likely
run by people who are good at it. But this is exactly why it's a good example
of candy security: As soon as you get past the first wall, there is nothing
else stopping you from getting access to everything. And you can't really
presume all users will have double auth activated, nor that they will be as
cautious with that single set of credentials will be.

~~~
StavrosK
Is it perfectly secure? No, but nothing is. Is it worse than what we have now?
No, it's not.

This is the question I'd like you to address: How is it less secure than what
we have now?

~~~
Ryoku
I think it is less secure because it centralizes all the security in one
single layer. AKA the email address you are using to handle the credentials.
Once you have access to that email, then you have access to everything.
Contrary to what happens now that at least raises more flags when your
accounts start getting password changes, etc.

------
mattupstate
No offense, but this isn't a new idea. I've built this feature into Flask-
Security, a Flask extension I maintain.

~~~
brent_noorda
No offense taken. I wasn't sure it was a new idea, just one that I had trouble
finding demonstrated anywhere. I couldn't find any simple web site
demonstrating just this one single idea, separated from a lot of other issues,
so I made this.

Flask-Security looks like a good solution to every new web site having to roll
their own code. BTW, It's not clear from Flask-Security that there is a no-
password option given that the user model has a password field required.

------
Xeoncross
For those that are interested, I got the ball rolling with email-based logins
by building [http://swiftlogin.com](http://swiftlogin.com). I was glad to see
the idea improved by Mozilla later that year and all the growth since then.

~~~
natch
lol, you got the ball rolling. I built a successful site that did this in
2003. I'm not sharing a link because I don't want to out my identity. But nice
work on putting up your source and promoting the idea.

------
wila
He/(she?) had more of a point if the website would have worked without having
to enable javascript for the meteor domain, not even reading it now.

~~~
icebraining
Meteor is a JS framework, and this page is running on their open hosting for
testing the framework, so that wouldn't make much sense.

~~~
wila
Ah OK I see, I guess you are right. Thanks for pointing that out.

------
gagege
This would have been relevant to me a year ago, before I started using <insert
password manager with browser plug-in here>.

------
ankit84
How do you solve first account problem? If this gets used by email hosting,
and I am creating my first email ID

------
anonymoushn
This just says "Error with that email address" for a gmail address.

~~~
brent_noorda
That was a problem in the meteor hosting sites number of free emails per day,
which broke quickly after this went high on HN. I've patched the meteor code
to fix that issue.

------
fophillips
"Error with that email address. Please try again"

------
blcknight
But...how do you get to your e-mail?

