
[Ask / show] Go passwordless - fabien-h
https://blog.wax-o.com/2018/08/authentication-ditch-the-username-and-go-passwordless/
======
fabien-h
Hi HN. I've been working passwordless recently and I was super proud of my
innovation (until I realised that this already existed for a while...). I want
to know if there are other users around and if they can give some feedback.

Especially if you work with sessions. I work full stateless for authentication
and maybe I'm missing some obvious issues.

~~~
Freak_NL
You could have a look at how the link-in-the-mail authentication was received
on Tumblr. There are bound to be lots of responses and insights to be found on
so large a platform.

They started out with a login form that said that a link was mailed to you,
but that you could also login with a password by clicking a button.

Now that has been changed to a login form where a choice between link-in-the-
mail and password-based is offered in the form of two buttons.

I would guess they did this because it is really annoying to keep getting
emails send to you, despite wanting to login with a password (it annoyed me!).

Ultimately, you will have to figure out if your audience is willing to put up
with the extra friction you are introducing. The password managers in the
browser makes logging in with a username and password trivial; having to go to
a mail application, click the appropriate email, click the link, and delete
the email, is more work than clicking in the username field and selecting the
username from the dropdown box provided by the browser, which fills in the
password as well.

Also, you are not adding any security per se, because you are delegating it to
the user's email provider.

~~~
fabien-h
Yes, users acceptation is a really big deal. I'm not sure how to tackle that.
I guess that if the users had the option before and don't have it now, they'll
complain.

And when I think about the way you login to slack...

"Also, you are not adding any security per se, because you are delegating it
to the user's email provider."

I think I do. In my case, I need an email and a way to recover the password.
So, if the users email account is compromised, the account on my website is
compromised too. Anything I do will only add potential breaches to the ones
already existing in the users email provider ; not fix them.

