

Ask HN: Password-less login - Akarnani

How do you do it? OR, why won&#x27;t it work? Where has it critically failed?
======
sova
After storming with this problem for a while there are two approaches that are
promising to me.

1) Have users enter their email address and always use a newly generated
e-mail link to login.

2) Give the user some data like a nursery rhyme that is unique to them and
easy to memorize. Every time they want to access the site you ask them
specific information about their nursery rhyme without revealing all the
details of it.

Example: Seven Goats Hopped Seven Boats With Only a Spoon to Spare.

You could ask them "how many letters are in the last word of your rhyme, how
many goats were there?" ... stuff to that effect.

Personally, I really like the "email me a link" approach because it requires
the user not learning any new passwords, although it is not as immediate for
something like an admin page. That's the method I'm using for a website I'm
developing.. so it's yet to be tested in the field.

There are some promising projects using "select all the right emoji (or
equivalent tiny symbols) that make up your password" and the whole grid
changes colors/shapes/arrangement every time you enter a "digit"

~~~
mstolpm
The problem with the pure "email me a link" approach seems to be that breaking
into an email account gets only more valuable: The rightful user can't do
anything if an attacker gets access to his mail account (or even just his
mails), logs into the service secured by "email me a link" and then changes
the associated email address for that account. How would the rightful user
ever get access to the service again that was secured by "email a link" if
there is no additional secret necessary for logging in and authorizing changes
to the user data?

~~~
Paulods
I don't see this being much different to a forgot my password email. Well the
only difference is it makes it marginally quicker to carry out.

------
sad_tuna
Whats about the HTML keygen element
([https://developer.mozilla.org/de/docs/Web/HTML/Element/keyge...](https://developer.mozilla.org/de/docs/Web/HTML/Element/keygen))?
Or something like an SSL certificate login ([http://cweiske.de/tagebuch/ssl-
client-certificates.htm](http://cweiske.de/tagebuch/ssl-client-
certificates.htm))?

After an inital setup it should login the user automatically.

~~~
sova
I'm really happy you mentioned SSL because that appears to be the future of
all logins... SSH anyway; Passwordless key-authenticated communication.

------
bendtherules
How about telling them to reply something like "ok" to the email just sent on
login request. That email should properly have this instruction written so
that someone can copy paste that code word if required.

Also, the email can have pre-built email link with the text and aprropiate
sender written so that one just click it and send.

~~~
bendtherules
Infact, this distinction of login system from the account itself can help in
interesting consequences.

Consider like a command-line app running (actual stuff you do after login)
along with a separate command center (your email), so that you could do
queries about your account like who are logged in, logout everyone, or are
there any pending notifications, and even is the service properly running?

But yes, people today dont like to do anything other than clicking buttons, so
only geeks would be impressed with this.

------
borplk
Checkout SQRL project

