Hacker News new | comments | show | ask | jobs | submit login
Cierge – passwordless authentication (pwdless.github.io)
94 points by zeveb 6 months ago | hide | past | web | favorite | 62 comments



Very cool. The magic link/email address as a ready made authentication platform feels very comfortable from a usability perspective. I’m curious if the venerable crowd here at HN has experienced any downsides to this approach. Are we (over)extending a notoriously easy to pown target in email by using this approach? Or is it just considered the same level of security as say a normal user/pass setup? I know zeit uses it for their system and that’s a gateway to applications/websites/micro services/etc. I have to say that I like using it because it’s so easy but I’m not sure what the implications could be in aggregate.

Edit: changed a word for clarity.


I can't help but feel that this is of equivalent or better security for users on sites that allow password-reset-by-email.


Premise: I just bought a Shield so I could start using Netflix on my TV (they still don't have an installable application for my old HTPC).

On topic: I generate all my passwords (variable length 30+ characters), and to log into both the Shield and (as a family account) my wife's phone, I had to type (or copy/send) the entire password in using a directional remote or a phone keyboard. No magic email link, no netflix.com/auth request, no PIN number, no personal wife account that I could include into my family plan.

Passwordless solutions can't come soon enough. the email route is fine for me, though I'm sure there could be better solutions too.


Netflix is one of the few things I've seen that supports google's Smart Lock for signing in. If I'm signed into the same account on my Shield as I use on my laptop, the signin is automatic for me.


I never want my social media connected to other sites, and I never use the same email address for different sites.

How would this ever work for me?


Wouldn't that also present an issue with usual password logins?


dude, how many fucking email addresses do you have then?


Not OP, but I do the same thing using wildcard addresses on a domain I own. I might use hn@my.domain for Hacker News, amzn@my.domain for Amazon and so on.

Foregoing the custom domain, some email providers also let you add tags to your address (e.g. your_address+tag@gmail.com). I'm aware of some people who use that functionality to have unique email addresses for each service.


I also use this method. Thanks to it I usually can check if e-mail was automated and also I am not disturbed by e-mails with social media notification, shop promos or marketing spam during work. Also some e-mail providers allow to create many e-mail aliases which shares the same inbox.


Some of us use myemail+sitespecific@gmail.com. It gets delivered to the same myemail@gmail.com. Other mail providers probably offer the same convenience.


Some nasty login forms block the '+' symbol from being used.


I sometimes use multiple dots to create an alias, but it only works for a fraction of e-mail providers (i.e. GMail). E.g.: example@example.com is the same as exa.mple@example.com.


FastMail supports tag@username.domain.tld


> dude, how many fucking email addresses do you have then?

  $ ldapsearch -LLL uid=dozzie mail | wc -l
  115
Is it supposed to be ridiculous or what?


This is basically (but quite a bit more powerful) than the auth system that The Magazine used back then (enter mail address, get a link, click and have cookies set). I loved that and wish more sites would do something like that.

And from the view point of a site owner it's even better: you don't handle passwords anymore. Passwords that many users share among several sites. So you won't be responsible for really, really keeping them secure. Because you don't have them.

Additionally, mail providers and browser vendors have much more security knowledge than pretty much everyone offering a web service.


I hate this workflow. I need to copy-paste the URL from terminal to browser. Even if I used a webmail, I would need to constantly go there and search for a new mail every time I'm logging in instead of having the login form filled on my request.


You are doing this once per device, every n days, with n typically at least 90, possibly more. Your login form consists of a single field for your mail address which is autocompleted. I really do not see your point.


> You are doing this once per device, every n days

...with n being 2, and sometimes even 0.3. There are few services where I would want to stay logged in.


I am not sure I understand how it works from a user's perspective? I login (using only an email), receive an email with a 'magic link' and this directs me to my authenticated account?

If that is so for the user, how does it work for the site owner? Cierge calls my site and requests a login from a given email, then the site backend conjures a URL which Cierge will use to create the magic link sent back to the user?

It would be very helpful to better understand if they explained the workflow for users and site owners.

If anyone can help me understand this and how it's better than OAUTH (logging FB, Google...) I would be grateful.


As far as I can tell, it's exactly the same as the password + one time code approach to 2FA...except without the password. Effectively the same as using Google Authenticator alone instead of in combination with a password.


Cierge is an OpenID Connect sever (which is based on OAuth 2), so your website would interact with it just as it would with non-passwordless solutions.


Services, which use this kind of login do not work for me.

First: email is not a reliable way of communication. Emails can be delayed. That means, a service using this method has lost me before I even had a chance to look into the details of the service.

Second: my email is deliberately delayed for services who contact me first. It is called Greylisting and still to theses days it works great as a spam protection without consulting and relying on some (dubious) blacklist providers. That comes back to the first point. A service using this kind of on-boarding has lost me before I even had a chance to look at it.


How does this work when you sign up to a new service and they send an email confirmation to verify your email? Surely it’s a similar situation?


Many services require email confirmation, that is right. But this is not required immediately. I can do this hours later. Some services even allow it to do days later.


Yeah fair enough. I’ve never used Greylisting before, is there not some folder you can go to to view the emails which have been deleted due to first contact? Like the spam folder or something?


That isn't how grey listing generally works, no


Even in the case of a long delay - this is a one-off event, as opposed to login which could be a daily occurrence.


My understanding of Greylisting is that there’s only a delay the first time someone contacts you so this shouldn’t be a problem


That's not the only reason emails may be delayed.


I dont really understand the premise of greylisting. Don't you just still recieve the spam but later than intended by the sender?


I always wanted to do this. Glad someone did!


Cierge means a votive candle in French.

Also using dotnet for things that suppose to run on server still makes me uncomfortable.

But I will try and I hope to change my opinion on projects like that.


I'd argue that .NET on server is the only valid scenario. ;) ASP.NET has pretty good security track record (10 CVEs in 14 years of existence with the most recent ones in 2010) and the entire stack (compiler, core libraries, ASP.NET core) are now open source.


It's not the open source stack that has that track record though


it wouldn't be the best record if it would have 10 critical CVE's since its release


When seeing the name, my first thought was "pray to authenticate" de clicked on to check this out.


It is a shortening of "Concierge", which is, in short, the person overseeing an apartment or hotel lobby.


Concierge is also a French word, so the shortening is a bit unfortunate.


> Cierge uses magic links/codes and external logins to authenticate your users.

Could someone explain how the "magic links/codes" works ?


I presume it's the same idea as Slack uses, where they email you a link that you visit. It's similar to verifying your email address for most services you sign up with. That's not literally how it works though, just functionally.


Idea is fantastic, it is not quite new, but still great, however implementation is very flawed. One site is where I am loging in, other is where I am entering code, email with code arrives from third site. This is just bad to do like this.

What I would suggest, rewrite and organize everything and came back. Otherwise solid idea.


Cierge is stateless so it doesn't matter if you have 100 login tabs open, it'll always work - and once the code is entered it is automatically invalidated.


This seems less secure.

This reminds me of slack. The point of a password AND an email is that will essentially make it “two factor”. With email only you are no longer two factor.

Once your email is hacked, you will be globally owned. No password required - they just need to send a simple phishing site to collect your email password.

You’ll also need to logon to your email to access whatever site which means whatever keylogger is installed on whatever computer you use in some public place will also be a threat.

Hope this helps.


> Once your email is hacked, you will be globally owned.

This is also true for 99% of online services that have a "forgot password" function that uses your email address. If your site is in the 1% that needs stronger security, then don't use this.

> You’ll also need to logon to your email to access whatever site which means whatever keylogger is installed on whatever computer you use in some public place will also be a threat.

Valid point, but it's an edge case that's not applicable to most people. The most common use for using a public computer is probably checking email. Even that happens less these days, which people just using their phones + public WiFi instead.


That's the point that I see as well. It's like if they get your email they will be able to get your user/password account anyways. So this seems like a decent way of getting rid of the password.


Also want to add incase anyone is reading that you don't want to set your systems security based on some lowest denominator that you can't even secure / control.

Seems unreasonable and insecure.


When user password are used for security, proper services have additional questions (in other words 2FA) to reset your password by email.


Additional questions are bonus passwords. They are not 2FA.


Public computer is for probably checking email. You said it yourself. Hence a proper adversary has already pwned these devices.


Password recovery through email is ubiquitous. So password is in no way a second authentication method to your email. That said, email is an identity, not a secret. But for the most part I'd rather protect my identity alone than my identity AND my secret.


When user password are used for security, proper services have additional questions (in other words 2FA) to reset your password by email.


No reason you couldn’t use this service + MFA.


If you email is hacked, that can be used to reset the password, so it's no less secure unless another factor is required to then change your password (which most services do not). You do have a point about it potentially exposing your email password to a keylogger though.

However, you also need to consider how most people use passwords. Often they have the same password (or very similar password) for many services. Other people essentially use the password recovery flow as their login mechanism. This is more secure and usable than that.


There are other options. Well designed passwords that are the same but different using password formula that one doesn’t share.

Password managers.

Certificates. Etc.


Cierge also uses magic links, making the code invisible to keyloggers. You can configure it to use magic links exclusively.


> The point of a password AND an email is that will essentially make it “two factor”. With email only you are no longer two factor.

Please don't confuse things. This is only one factor (email or email+password doesn't matter). Two-factor is only if you have one factor on top of this, e.g. U2F, OATH, etc.


I am not a security expert, so I started looking for solution which I know from my personal experience: If we add additional complexity like MFA/2FA this problem seems to be mitigated.

It would be great if someone with more knowledge in this field could provide a better solution for this issue.

Edit: Also you could reset password on your e-mail account if was breached.

Edit 2: There are also push notifications sent on mobile apps which acts like boolean type to accept or deny logon process.

Edit 3: If MITM is also laid down in discussion about possible threats then I think end-to-end encryption may help.

Edit 4: Banks usually use "Fill 3, 4, 15, 22.. character from your [placeholder: password, auth card]" method to get rid of key-loggers on clients PCs.


1- If your email was breeches it’s simply too late.

2- Great - this is 2fa and good.


2FA is overused term in these days. I thought like Cierge+U2F with some physical device like Yubikey or Google Authenticator.

Edit: If my email was breached (and I would know it) I would probably reset password and logon to change all services to populate them with brand new credentials. Then I will try to minimize the threat (i.e. by making impossible to use my accounts - bail out emails, resting credentials or even removing accounts and e-mail) and then find out the best solution for specified scenario and recover after breach with implemented better security.


Many services now allow password reset by email (magic link), Cierge's approach just does away with the illusion of security employed by such services. Outsourcing authentication to email, as many services do with Google/Facebook/Github accounts.

The Cierge login approach would obviously be inadvisable for protecting something of importance, like your email account.


When user password are used for security, proper services have additional questions (in other words 2FA) to reset your password by email.


Additional questions are bonus passwords. They are not 2FA.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: