Tell HN: I Don't Want to Use Email as a Password

[CPLX]

Old classic flow:

I enter a username and a password. If it's important I set up 2FA and use a timed code or SMS if I have to.

New flow:

I try to log in using my email address. The site generates a code that I now have to go and fish out of my email, cut, and paste in, to get into the site, instead of just proceeding to enter the password that's in my password manager.

Am I the only one that thinks this new approach to logging in just sucks?

[iteria]

It's not for you. It's for people who don't know what a password manager is and can barely remember their password. If they actually remember it. Many people rely on their phones always having access.

I have dealt with a lot of family members who absolutely cannot be trusted to remember even a single password if they don't have to type it in semi-regularly. I've have family members locked out of password vaults because 2 weeks is too long to expect them to remember a password.

This is who that flow is catering to. It's a significant amount of people, sadly.

[jollyllama]

It's a logical consequence of expecting people to authenticate fully with services in a physical context outside of a computer desk at home where passwords can be safely written down. Unfortunately a hardware key is simply the modern version of this.

What would be better is the issuance of limited permissions for other context in the form of less secure tokens. An example of this is the old school example of logging into your airline account and printing out your tickets to take to the airport.

[skydhash]

I was watching a demo of palm pda and I liked the fact you have a syncing software on your computer. I'd gladly sync auth secrets to my iPhone so I can access services instead of authenticating on the phone itself.

[sergiotapia]

It sucks. Another horrible pattern is that enter email, hit enter THEN we'll show you the password field. What kind of puddinghead cooked that up I wonder.

[codingdave]

I've done this. It really isn't to make life difficult, it is because we need to know who you are before we know whether you even need a password screen. Maybe your domain means you are part of an org has an SSO connection configured. Maybe you are not yet a user and need an onboarding workflow, etc.

Could that be done on a single page instead of a new page? Probably, but does turning the login into an SPA really reduce friction enough to make it worth that complexity?

In any case, some systems have a reason. But you are correct that doing such a thing without a good reason is not a wise move. And outside of B2B apps... I don't see it being a common thing.

[runjake]

Here's what Google said when they implemented it:

  "Today, you sign in to Google on a page that includes both the ‘email’ and ‘password’ fields on the same page. We’ll be gradually splitting those two fields into separate pages in the coming days; the sign-in process won’t change otherwise.

  As we’ve said many times, we're working towards introducing new authentication solutions that complement traditional passwords. We’ve already separated the ‘username’ and ‘password’ fields onto separate pages on a successful launch in Android last year. This change to our web sign-in page is another step in that direction.

  To help make sign-in easier and more personal, you may see a screen with your profile picture and full name when signing in to Google. We’ll only show this information if you are signing in from a location or device you’ve signed in from before, like your home computer."

I have no opinions on it. At least, no positive opinions.

[sergiotapia]

Crazy they just skip past the why. Why split it in the first place lol

[runjake]

They state why, albeit poorly worded and justified:

  > we're working towards introducing new authentication solutions that complement traditional passwords

Anyway, terrible explanation on Google's part, IMHO.

[Moomoomoo309]

My college uses this. It redirects to their login system when you put your school email in on gmail.

[codegeek]

Sometimes that is needed if you offer native login and SSO to login. Once a user enters the email, the system then checks if they should go to the SSO flow or normal password flow.

[tonymet]

I agree it sucks. It ads a complex & flimsy step to an already brittle login process.

A big problem is captive browser cookies. Gmail for example uses a captive browser for links. The flow from Safari --> Gmail --> captive browser means that your login session is lost in captive browser limbo.

Authentication is so kludgy, and all the attempts at securing it lead to horrific UX.

How many screens does it take to log in:

1. enter username,

2. enter password

3. enter 2fa,

4. verify email

5. open email inbox

6. open email with code

7. Open captive browser

8 ( if you are lucky) Open the original browser to log in.

8 screens that each could succeed or fail or the user can get lost.

[joegahona]

I’ve been getting increasingly crazy permutations of login flows recently. I swear one of them recently was: Enter email address, go fish code out of email inbox, cut and paste code in, then get a password field.

[pseudocomposer]

I agree these flows suck, and others have described why companies do this. But I’ll also note there is a solution: use Apple Mail and Safari. Just as with Messages and SMS 2FA codes, it can auto-fill the code that was emailed to you, and delete the email when you do so.

[VoodooJuJu]

While it bothers me as well, this flow isn't too common. It's usually only used for MVPs because of how quick and easy it is to set up.

What I'm more bothered about is that sites who use traditional username/email and password increasingly don't actually seem to care about my password. They always require 2FA, email or phone, and I don't have a choice. Username + password simply isn't good enough for these people anymore.

[curmudgeon22]

I am seeing this much more frequently in services I use. Rarely, they have a small option that says "use password instead".

I agree that it's pretty frustrating, since I have strong passwords in my password manager. Like another poster, I assume its used because it provides better security for the majority.

[clusmore]

A lot of companies have started doing this because a compromised account can be used to attack the service (logged in sessions avoid rate limits) or other users (spam). They aren't necessarily trying to protect you.

[rubyissimo]

I want to like passkeys, but so far it feels like they've just confused the issue.

[sethammons]

email as a login flow is gonna cause problems. Email can be delayed for days.

[NikkiA]

So can SMS, it hasn't stopped idiots designing 2FA around it.