
Cierge – passwordless authentication - zeveb
https://pwdless.github.io/Cierge-Website/
======
esdott
Very cool. The magic link/email address as a ready made authentication
platform feels very comfortable from a usability perspective. I’m curious if
the venerable crowd here at HN has experienced any downsides to this approach.
Are we (over)extending a notoriously easy to pown target in email by using
this approach? Or is it just considered the same level of security as say a
normal user/pass setup? I know zeit uses it for their system and that’s a
gateway to applications/websites/micro services/etc. I have to say that I like
using it because it’s so easy but I’m not sure what the implications could be
in aggregate.

Edit: changed a word for clarity.

~~~
croon
Premise: I just bought a Shield so I could start using Netflix on my TV (they
still don't have an installable application for my old HTPC).

On topic: I generate all my passwords (variable length 30+ characters), and to
log into both the Shield and (as a family account) my wife's phone, I had to
type (or copy/send) the entire password in using a directional remote or a
phone keyboard. No magic email link, no netflix.com/auth request, no PIN
number, no personal wife account that I could include into my family plan.

Passwordless solutions can't come soon enough. the email route is fine for me,
though I'm sure there could be better solutions too.

~~~
IanCal
Netflix is one of the few things I've seen that supports google's Smart Lock
for signing in. If I'm signed into the same account on my Shield as I use on
my laptop, the signin is automatic for me.

------
Tomte
This is basically (but quite a bit more powerful) than the auth system that
The Magazine used back then (enter mail address, get a link, click and have
cookies set). I loved that and wish more sites would do something like that.

And from the view point of a site owner it's even better: you don't handle
passwords anymore. Passwords that many users share among several sites. So you
won't be responsible for really, really keeping them secure. Because you don't
have them.

Additionally, mail providers and browser vendors have much more security
knowledge than pretty much everyone offering a web service.

~~~
dozzie
I hate this workflow. I need to copy-paste the URL from terminal to browser.
Even if I used a webmail, I would need to constantly go there and search for a
new mail every time I'm logging in instead of having the login form filled on
my request.

~~~
Tomte
You are doing this once per device, every n days, with n typically at least
90, possibly more. Your login form consists of a single field for your mail
address which is autocompleted. I really do not see your point.

~~~
dozzie
> You are doing this once per device, every n days

...with n being 2, and sometimes even 0.3. There are few services where I
would want to stay logged in.

------
jnwatson
I never want my social media connected to other sites, and I never use the
same email address for different sites.

How would this ever work for me?

~~~
jarcane
dude, how many fucking email addresses do you have then?

~~~
phlo
Not OP, but I do the same thing using wildcard addresses on a domain I own. I
might use hn@my.domain for Hacker News, amzn@my.domain for Amazon and so on.

Foregoing the custom domain, some email providers also let you add tags to
your address (e.g. your_address+tag@gmail.com). I'm aware of some people who
use that functionality to have unique email addresses for each service.

~~~
piotrkubisa
I also use this method. Thanks to it I usually can check if e-mail was
automated and also I am not disturbed by e-mails with social media
notification, shop promos or marketing spam during work. Also some e-mail
providers allow to create many e-mail aliases which shares the same inbox.

------
kelvin0
I am not sure I understand how it works from a user's perspective? I login
(using only an email), receive an email with a 'magic link' and this directs
me to my authenticated account?

If that is so for the user, how does it work for the site owner? Cierge calls
my site and requests a login from a given email, then the site backend
conjures a URL which Cierge will use to create the magic link sent back to the
user?

It would be very helpful to better understand if they explained the workflow
for users and site owners.

If anyone can help me understand this and how it's better than OAUTH (logging
FB, Google...) I would be grateful.

~~~
TheGrumpyBrit
As far as I can tell, it's exactly the same as the password + one time code
approach to 2FA...except without the password. Effectively the same as using
Google Authenticator alone instead of in combination with a password.

------
iovrthoughtthis
I always wanted to do this. Glad someone did!

------
PinguTS
Services, which use this kind of login do not work for me.

First: email is not a reliable way of communication. Emails can be delayed.
That means, a service using this method has lost me before I even had a chance
to look into the details of the service.

Second: my email is deliberately delayed for services who contact me first. It
is called Greylisting and still to theses days it works great as a spam
protection without consulting and relying on some (dubious) blacklist
providers. That comes back to the first point. A service using this kind of
on-boarding has lost me before I even had a chance to look at it.

~~~
madjam002
How does this work when you sign up to a new service and they send an email
confirmation to verify your email? Surely it’s a similar situation?

~~~
PinguTS
Many services require email confirmation, that is right. But this is not
required immediately. I can do this hours later. Some services even allow it
to do days later.

~~~
madjam002
Yeah fair enough. I’ve never used Greylisting before, is there not some folder
you can go to to view the emails which have been deleted due to first contact?
Like the spam folder or something?

~~~
stephenr
That isn't how grey listing generally works, no

------
gregman1
Cierge means a votive candle in French.

Also using dotnet for things that suppose to run on server still makes me
uncomfortable.

But I will try and I hope to change my opinion on projects like that.

~~~
DominikD
I'd argue that .NET on server is the only valid scenario. ;) ASP.NET has
pretty good security track record (10 CVEs in 14 years of existence with the
most recent ones in 2010) and the entire stack (compiler, core libraries,
ASP.NET core) are now open source.

~~~
ddlsmurf
It's not the open source stack that has that track record though

~~~
merb
it wouldn't be the best record if it would have 10 critical CVE's since its
release

------
chmike
> Cierge uses magic links/codes and external logins to authenticate your
> users.

Could someone explain how the "magic links/codes" works ?

~~~
spondyl
I presume it's the same idea as Slack uses, where they email you a link that
you visit. It's similar to verifying your email address for most services you
sign up with. That's not literally how it works though, just functionally.

------
desireco42
Idea is fantastic, it is not quite new, but still great, however
implementation is very flawed. One site is where I am loging in, other is
where I am entering code, email with code arrives from third site. This is
just bad to do like this.

What I would suggest, rewrite and organize everything and came back. Otherwise
solid idea.

~~~
biarity
Cierge is stateless so it doesn't matter if you have 100 login tabs open,
it'll always work - and once the code is entered it is automatically
invalidated.

------
rasengan
This seems less secure.

This reminds me of slack. The point of a password AND an email is that will
essentially make it “two factor”. With email only you are no longer two
factor.

Once your email is hacked, you will be globally owned. No password required -
they just need to send a simple phishing site to collect your email password.

You’ll also need to logon to your email to access whatever site which means
whatever keylogger is installed on whatever computer you use in some public
place will also be a threat.

Hope this helps.

~~~
matharmin
> Once your email is hacked, you will be globally owned.

This is also true for 99% of online services that have a "forgot password"
function that uses your email address. If your site is in the 1% that needs
stronger security, then don't use this.

> You’ll also need to logon to your email to access whatever site which means
> whatever keylogger is installed on whatever computer you use in some public
> place will also be a threat.

Valid point, but it's an edge case that's not applicable to most people. The
most common use for using a public computer is probably checking email. Even
that happens less these days, which people just using their phones + public
WiFi instead.

~~~
hoffs
That's the point that I see as well. It's like if they get your email they
will be able to get your user/password account anyways. So this seems like a
decent way of getting rid of the password.

~~~
rasengan
When user password are used for security, proper services have additional
questions (in other words 2FA) to reset your password by email.

~~~
WorldMaker
Additional questions are bonus passwords. They are _not_ 2FA.

