
Can we just be done with passwords? - arturgrigio
I am a developer, and I&#x27;ve been doing this for living for the past 6 years.<p>I am tired of having to write authentication models where you take in UN + PW, then send them a TXT with a 6-digit code, to issue a session. And every password needs to be salted and encrypted. And every time someone logs in, I have to do this expensive hash to matching check.<p>Why can&#x27;t we just take out the password?<p>Want to login... Great!
Step 1) Put in your Email&#x2F;Username
Step 2) Click continue
Step 3) We just sent you a 6-digit alphanumeric code (that expires in 1 min), enter it.<p>As a user, why should I have to remember (or in my case use 1Password for) every password? I know people that write it in TXT docs or on pieces of paper because it&#x27;s too much for them.
And as a developer, why should I worry about handing this VERY sensitive information about my client.<p>There are some security concerns here, in form of brute forcing. Here is quick solution, allow each code to be entered twice, then force a re-send of the code. Exponentially throttle after 1st resend.<p>And here is some quick, back of the napkin math (so correct me if I&#x27;m wrong), but given [a-Z] and [0-9], we have 26 + 10 possible choices (I&#x27;m making this case insensitive).
Probability that someone can brute force it will be:<p>1&#x2F;36^6 + 1&#x2F;(36^6-1) = 1&#x2F;2176782336 + 1&#x2F;2176782335 = 9.1878732e-10<p>Am I crazy for thinking this?
Is there a reason why devs don&#x27;t do this?
Is there something I&#x27;m missing about this model&#x27;s security?
======
LinuxBender
I understand your frustration, but we do not yet have a universal platform to
facilitate OTP. There is also hesitation about using SMS for OTP as it is
trivial to take over a persons phone number. Not everyone has a smart phone,
myself included. I believe the issue is a bit more complex than passwords vs.
OTP.

Also there is the issue of not all services not supporting OTP, SAML, OAuth,
etc. Things are slowly evolving in that direction, but there will be services
that require passwords for a very long time. There are still services that do
not even support encryption.

All of that said, you could certainly provide an incentive to your user base
to use MFA/OTP. Blizzard did this by giving players more inventory space if
they enabled SMS and hardware tokens on their account. That won't convert
everyone and they still have to support password algorithms.

~~~
arturgrigio
From a customer's perspective why wouldn't someone opt into this model? You're
telling me I don't have to remember an extra password to log in... AND, if a
service gets hacked, it's only them that got hacked; I don't have to go across
all sites where I reused that password and change it. The burden of security
is not on the customer any more.

And I get your point about MFA. But, that's it, MFA just adds another step for
me to get where I was going. But my proposal removes a step.

But you're right about SMS being easy to hack. More thinking is required on
that end.

~~~
LinuxBender
>From a customer's perspective why wouldn't someone opt into this model?

My theory is that contributing factors are psychological, cultural and
environmental. I don't have a lot of data to back up my theories, but I do
have anecdotal evidence that people are creatures of habit and conditioning. I
see it around me all the time. I can provide people with a simple technical
solution; but if it deviates from their normal pattern, a majority will reject
it. It has to meet multiple criteria. Lower friction (you did this part),
follow a pattern (this is where I believe psychology comes into play), gain
popularity (peer pressure, cool kids are doing it). There are probably many
other factors and my theories about why adoption of such things may be off.

Hopefully others with more economic, marketing and psychology backgrounds can
correct or amend my theories.

------
obpe
I wouldn't call you crazy but I would call you naive.

There are 3 factors, that I know of, for proving your identity: 1) Something
you know (password) 2) Something you have (phone or email) 3) Something you
are (fingerprint)

Your proposal is to do away with 1 by relying upon 2. But the issue is the
very nature of "having" something means it can be taken from you and, on the
internet, quite possibly without your knowledge.

Further, your proposal essentially asks the user to completely trust every hop
along the path an Email or SMS will take. You may be able to mitigate this by
using an app but this is a significant step for many and not everyone has a
smartphone.

So while your proposal may work for a tiny, inconsequential web site or
service which contains nothing of importance (which begs the question why you
have a login to begin with), I would never trust anything to a site that
implements this.

