

Log In or Create Account - shanecleveland
https://the-magazine.org/login
More info on Marco's site: http://www.marco.org/2013/02/24/the-magazine-sharing<p>I believe this and the way subscriptions are confirmed through the app are elegant solutions.
======
habosa
I applaud the attempt to move away from passwords, but this seems like a
pretty annoying solution. I don't want access to my email to be tied to my
access to "The Magazine". If I'm going to need to access some other service to
log in, I'd prefer a Google Authenticator style solution where my access code
is always a single click away from my phone's home screen. Maybe Marco/The
Magazine could use Google Authenticator and just accept any password as long
as the auth code is right, it seems like that would provide the same level of
security as this solution.

As a side note, wouldn't someone trying to gain access to my account result in
a deluge of password-link spam to my inbox? Or do they have some elegant
solution for that.

~~~
jader201
I think this is a big factor, and why I think this is a really bad UX. I've
actually considered this method of authentication in the past, but the only
thing this fixes is this site having to remember a password for you (and the
accompanying side effect of the vulnerability of your password being
compromised).

Now, the user not only has to hold onto the login email (or request a new
one), but they have to access that email _every_ time you use the site -- or,
bookmark the URL (yuck). Not to mention the issue if they're on another device
that doesn't have access to the email address.

This _may_ work as a secondary, optional method of authentication. But having
it as the _only_ method isn't a good UX.

------
tzs
Interesting. I did not make an account to try it out, so the following
suggestions are for this kind of scheme in general.

1\. The mailed login link should be only good for a single use.

2\. This should be handled as a service by a third party site (similar to the
way OpenID works). The mailed login link would link to the third party site,
which then redirects to the destination if the login is valid.

The idea behind #1 is that if someone gets into your email, they should not be
able to simply follow any old login links you've failed to delete. Best
practice would be to delete the mails as soon as you click the link, but
people will forget so the system should be designed with that in mind.

The idea behind #2 is that someone who gets into your email should not be able
to tell from your old login links where you have accounts. If he could, he
could simply go to those sites and make then initiate sending a new login
link.

3\. When you tell a site to send you a login link, the site should assign a
random PIN to that login link and tell you (on the website) that PIN. The
login link validator site should require you to enter that PIN before
redirecting to the final destination site.

This is to prevent an intruder in your email from getting to an unused login
link before you do and using it.

------
desigooner
What if the email account has been compromised? Right now, having unique
passwords for each account allows me to compartmentalize access to my
accounts. In this case, the attackers would have one less thing to worry
about.

Also, is this behavior carried over to the mobile apps?

edit: Nevermind. I was not thinking right. Password resets, as pointed out by
many, are always possible with email access.

~~~
moonboots
Most existing accounts allow password resets via email, so email compromise
would also result in account compromise.

------
ghiculescu
Instapaper (also by Marco Arment) used to do a similar thing. Then this
happened: <http://blog.instapaper.com/post/2318776738>

Interesting to see he is giving it another shot. It looks like the new
implementation solves some of the problems brought up in that blog post.

~~~
dualboot
I have a feeling this is an initial marketing feature for him.

You pull in users who value the convenience and ease of signup and once you
reach critical mass the feature no longer yields the percentage of conversion
that makes/breaks your venture.

------
moeffju
This is neither a new pattern, nor does it seem to be executed in a
particularly interesting way. Am I blasé or am I missing something?

~~~
zevyoura
I haven't seen this before; what other apps/sites have used it?

~~~
durkie
craigslist? any time you want to post, you get a link that lets you
confirm/publish the post, or edit/delete the post.

~~~
zevyoura
That's an excellent comparison, but from my understanding there's not a
concept of ongoing users beyond the author of any individual post. Great
point, though, that seems like the highest-profile similar example.

------
mojuba
At first this seems to be no different from the password auth: both the
password method and the login URL method essentially implement the shared
secret scheme, and the rest are technical details.

Except the devil is in the details, as usual: passwords are (or should be)
kept and transferred in encrypted form, whereas with the login URL the shared
secret is exposed even if transferred over HTTPS.

Other than that, of course, it would be such a relief to dump passwords
altogether!

~~~
0x0
The URL isn't any more exposed than any password would be over HTTPS, that is
to say not at all unless you are being MITM'ed by someone who controls a CA in
your browser.

~~~
bpatrianakos
True but there's still a way. Unless you've got HSTS enabled most users, _if_
they manually type in the URL, will leave out the protocol altogether which
means the server needs to redirect you to https. That's no problem but there's
always the chance that someone can perform an https stripping attack and catch
the connection before the redirect occurs. Even with HSTS enabled the first
time a user does this they're still vulnerable as HSTS cannot be activated
until you have an initial https connection.

Chrome's HSTS list solves this but you have to make sure you send the Chromium
team an email to add you to the list and even then not everyone uses Chrome. I
had them add my app to the list recently which makes me feel warm and fuzzy
but its not bullet proof.

In the end, yeah it's a real narrow edge case but as we all have been warned
and seen so many times here on HN, those edge cases, no matter how narrow,
often end up becoming real at some point. That's not to say I think it'll
happen, just saying there is a way.

~~~
0x0
The same attack you're describing could easily be used to steal a password-
based login, too.

~~~
bpatrianakos
Right, but that's not the point. I'm not trying to say this passwordless login
is flawed or worse than password based login. I just saw a flaw that stuck out
and pointed it out. Nothing more.

------
jere
I do something similar for a small message board used by about 10 friends that
has a shared password. All you do is look in your email for the link or
bookmark and use the bookmark to log in.

It might seem strange, but some people probably prefer it this way. If your
app has a reset password link that grants a session, some percentage of users
are going to use reset links pretty much exclusively to get into the app.

------
Goopplesoft
This kinda this is what inspired to me to use google authenticators time based
OTP's and try to make a service out of it (shameless plug:
<http://www.gauthify.com>), I think theres a solid benefit to be gained from
OTPs in a login setting since they're rotated, not memorized, and random.

~~~
zackboe
I built this one night as a sort of example for GAuthify. Real simple, just
checks a user's email against a database, retrieves their unique GAuthify ID,
and checks that against the GAuthify API.

<http://zackboehm.com/dev/gauthify-phplogin/>

------
gkoberger
This would work if your email address was somehow tied to your browser for
"remote logins" (via native implementation? add-on?), and a little popup just
showed up.

Or, I think a mobile version where you got a text would work (since typing on
a little screen is harder than opening a notification).

Otherwise, it seems worse than passwords.

~~~
mjschultz
Your mobile device has email, right? Mine does. You'd just type your email
into the site on mobile, then get the link for your device's browser. You'd
have to type email, app switch, the click link. I don't think that is too bad
actually.

------
0x0
Brilliant!

In fact - it's probably more secure than a normal password scheme! No password
hash database to be stolen, no brute force attacks to dodge, no chance of your
account being compromised without noticing because you'll get an email if
someone tries anything (assuming the cookie is safe and SSL'ed)

------
opminion
This is so obviously useful (it simply skips a few steps in my almost weekly
"forgot my password" routine) that there must be a reason why it is not more
widespread...

~~~
rafd
It's not widespread because it adds extra steps for those who do remember
their password (switch tab, wait for email, open email, click link), or for
those who don't have their email client open (go to gmail.com, log in, open
email, click link).

Marco's audience likely reads the magazine from within the appe (where the
practice is keep the user logged in indefinitely) or they always have their
email client open.

------
Kylekramer
Seems to be punting a lot of the security responsibilities regarding the
Magazine to the user and email provider. Clever, but perhaps too clever by the
half.

~~~
lwat
I don't see how this is any different to every site with a 'reset my password'
link

~~~
Kylekramer
And I have the same opinion of those sites whose only security is sending
reset links to a user's email. But at least with those you don't have to hop
back and forth between your email and the site anytime you use a different
device or browser.

------
Sujan
How does it work?

~~~
Anonymous09
When you enter your e-mail, you receive a message such as...

\---

Log into The Magazine by opening this link:

[https://the-magazine.org/login/8LvjumLKwNXeBX2zDkxZGuDixUzds...](https://the-
magazine.org/login/8LvjumLKwNXeBX2zDkxZGuDixUzds01SAwlUPksK)

This link will expire after an hour and can only be used once. To log into
multiple browsers, send a login request from each one.

\---

It works well, they click the e-mail link, and it saves a cookie to log them
in. I think it's a decent solution. It comes down to preference, would you
rather type in a password, or click a link e-mailed to you. At times, I have
complex passwords, so they take a while to type, and other times, I'd rather
type in a password, than access my e-mail on a computer or network of
questionable security.

In the end, passwords need to change, and I think in the future they'll
disappear. We need smart cards or something along those lines. Click the login
button, pass the card over your phone or computer, and you're instantly logged
in. The card remains in your wallet like any other.

~~~
ypeterholmes
I'm missing something. What happens when you come back?

~~~
mjschultz
I would assume the cookie is still valid and you're authenticated, or you type
the email address and you get a fresh token.

------
quarterto
Reminds me of the old Instapaper login model. Of course, that too was Marco
Arment. I guess he hates traditional logins.

