
Show HN: Byepass – Eliminating Passwords - dommm
https://byepass.co/?ref=hn
======
dzwillia
Hi there!

This seems like an interesting concept. Signing into your app via the link in
the email does a good job of showing the concept of what you're working on.
Your app also has a nice look-and-feel to it.

Couple of thoughts/questions for you:

1) Once I was logged into your app, it was unclear to me what my next step
was... I saw "New App" under "Developers", but I wasn't sure what I was
supposed to do there.

2) Is your app meant for the end user or website/app creators? Who benefits
from using your service? I'm a website/app creator and I don't know why I
would want to outsource the one thing that makes my users feel secure when
coming to our app?

3) While forgetting a password is massively annoying, there is a small sense
of "security" I feel in that I had to type something in to access a website

4) With the proliferation of services like LastPass and 1Password, how are you
going to go about convincing users that are using those services? (these
services do a pretty good job of removing much of the pain of having to
remember a password)

5) Seems like SSO via FB, Google, GitHub and the like are pretty convenient to
users already -- is there a benefit/upside that your service provides that
these SSO services don't?

It seems like this would be something where you'd need a large number of
companies to have buy-in to what you're doing in order to add your form to
their website. It seems like you'd need to have some hook there to get
critical mass of widely-used websites to adopt your sign in/sign up form.

Look forward to hearing your thoughts and seeing where your service goes from
here!

~~~
dommm
Thanks, and great points:

1) Once I was logged into your app, it was unclear to me what my next step
was... I saw "New App" under "Developers", but I wasn't sure what I was
supposed to do there.

It is really there for developers to "Create an app". From a consumers point
of view, if they did wish to login to the Byepass console, they can see/kill
their live sessions (across all websites using Byepass), login stats, and
delinking MFA credentials.

2) Is your app meant for the end user or website/app creators? Who benefits
from using your service? I'm a website/app creator and I don't know why I
would want to outsource the one thing that makes my users feel secure when
coming to our app?

Byepass is designed to be a service incorporated by websites/apps, it isn't a
consumer tool. Passwords are so broken, we register with an email address,
then are alloed to login with some string of characters and not re-verify our
email. We see password leak after leak, and then all the annoyances of
forgotten passwords, which cause 30% of all online sales to be abandoned
(actual Mastercard & Oxford uni study stat). Passwords are not secure, you are
storing your keys in someone elses vault and you have no idea how secure it
is, are they storing it in plain text? md5? etc???

Byepass adds a layer of security, and removes the old insecure passwords.
Passwords are just what we are used to, thats why we think they are secure,
because they are familiar. This can change.

3) While forgetting a password is massively annoying, there is a small sense
of "security" I feel in that I had to type something in to access a website

a) did you type it? or was it saved by browser/password manager etc... b)
again this is just what we are accustomed to do, this can be retrained.

4) With the proliferation of services like LastPass and 1Password, how are you
going to go about convincing users that are using those services? (these
services do a pretty good job of removing much of the pain of having to
remember a password)

The fact these services exist just proves how broken passwords are. Consumers
are literally flocking to download apps or use services that avoid them having
to use a password. By not using the password at all, they are cirvumventing
the actual security check the password is there for; and this could be fixed
for all by not having a password and replacing it with better tech.

5) Seems like SSO via FB, Google, GitHub and the like are pretty convenient to
users already -- is there a benefit/upside that your service provides that
these SSO services don't?

Yep, every one of those services require you to have a profile/account with
them. It doesnt make sense to force people to use a 3rd-party service/company
before they can access yours. Byepass doesn't require registration of users,
it simply acts as an authentication layer to confirm the user is authorised
against a given identifier/s.

------
jamieweb
This looks interesting, it's a bit like how Medium handles logins IIRC.

One issue I see is the fact that people have to click links in emails. With
the current state of phishing/spam/scams it is good practise to _never_ click
links, so encouraging users to click as part of the authentication process
seems a bit risky.

Perhaps there could be a user or site configurable option to receive a 'magic
password' rather than a link?

