Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Better Alternatives Than Passwords?
13 points by anon115 7 months ago | hide | past | favorite | 30 comments
im not talking about no password manager or auth either something more seamless.



It would be worth talking more about the problem you are trying to solve. What do you want to authenticate to? What issues do you have with passwords?

That will probably help the community help you.


Just send your users a login link to their email.

If you go with passwords, you already have a risk vector for resetting passwords. Skip the password and the reset.

Make the login link expire after 10 minutes so they attackers only have a short window.


I love it when you send me a link and it doesn’t deliver.


Passkeys. You're looking for passkeys.


im looking for brain storage ingrained like your social security card.... or a simple image key..


I'm sorry, but you're clearly not bothering to think this through or... Idk.


Steve Gibson invented something you may like: Simple Quick Reliable Login https://www.grc.com/sqrl/sqrl.htm


Choose from some combination of:

* Something you know (memorizing a password, PIN, whatever)

* Something you are (biometrics)

* Something you have (2FA, passkeys, OTP keys)

I think all three have been done in various combinations, and each have their pros and cons. Of those, I personally find Passkeys to be the easiest to use, especially with password manager that can sync across devices.


i was thinking the user having an image act as a password/key. ---then locking the key to said devices only acting like 2FA ------voice login??? ---------if the user is say from los angeles their passcode only works here ---passcode but with images interchanging passwords that the user can custom set. -----having the user record their room with their face in it and a simple phrase loike banana' oranges' apples'.


Here is an experience have had…

I’m on vacation in a city hundreds of miles from home. My plane ticket is on my phone. I drop my phone and break it, needing a new one. How do I get logged back in on my new phone, to get access to my ticket, so I can catch my flight home?

In my particular situation, 2FA was forced upon me by Apple some time earlier. Through dumb luck, I happened to bring an iPad on my trip which I was able to use for 2FA to get logged back in and get home. If I hadn’t brought a 2nd device, or wasn’t in my home locations (with the setup you mention), what do I do?

A lot of people have a phone as their only device these days. 2FA, or location dependent 2FA seems really bad. I don’t know how people recover when a primary, or their only, device is lost/broken?

I have since setup a recovery key with Apple. I’m planning a trip in a couple weeks. I’m thinking I need to write down my recovery key and keep it in a money belt, so if something goes wrong I have a way to get at my data, so I can get home. But is the average user going to do any of that? No way. This all seems like a huge risk.


You present an ID at the airport to have your boarding pass printed for you. No phone required.


There is also the matter of getting to the airport, as I planned to take an Uber.

Yes, I could have talked to the front desk at the hotel and had them call a cab, and pay for that with a credit card. And then also do something like that when I got home to get back to my house.

It’s a lot of extra steps and extra expense. Last time I took a cab from the airport it was almost 5x the price of an Uber, and I had to listen to the cab driver talk shit about Uber the whole time.


i was thinking about perhaps one time PASSCODES linked to your ticket that you can easily burn in your memory:::

tree#5737cherry۲ bird#115٨lime۲ those fancy symbols are arabic numbers they act as seperators : ۲ = 2 || ٨ = 8

with my my name oompa loompa:: L#oompa٨149۲ oompa#L۲149٨ #Loompa٨O۲115 the original idea was alot more complicated but harder to burn ::: banana#4680٨yellow۱۲ tree#5791٨cyan۱۲cherry =======

tree#cyan۲cherry -----ticket backup only!!!\ not 2FA! --- i added emojis here but hackernews wont display em


wonderful.... OOOOoooopsss!!! it was raining in bangkok that day and i dropped it and now the paper qr pass gone.


You dropped it in the rain between the check in kiosk inside the airport and the gate? Must be a heckin’ storm system inside the airport.


--passcode with a specific time of day you have set which a maze appears but you have to choice of holding down + swiping + holding down again + swiping in order to activate said maze super recommended because hardly any1 has seen you do this atleast physically (inform the user to set this up in a private place by themselves only with absolutely no1 looking) ---this appears as a everyday passcode interface and only the user knows they can do this >>>time logged off??? on our side we can tell how much time your login you have been inactive, if i was apple 4example i would check for active internet connection/any sort of activity ping. this tells us somethings up.. only accordance to you tho upon sucessful login details.

>>>pinged last phone battery 0%? oki >>>zero signs of activity? on all logged in devices?yes? oki >>>last time of signs of phone activity on all devices? device 1, 2:00pm device 2 5:00pm device 3 10:00pm?+++prompt the user someone is trying to login from out of oh hey but the user usually goes to sleep around this time...... account for that too...

+++360 video selfie of yourself with saying your simple phrase? super manual... has to be reviewed by a human. super anti- ai >>you got a new phone should be no problem right?*** +++time specific passcode:: time sensitive lets say the user picks 12:05pm to 12:10pm on their time the ui matches this with the time whatever country their in. >>>if the user doesn't login in their phone within the last 72 hours something maybe less idk >>>as for the keys your right is not seamless how about a passcode interface that ---how many times do people go about not** bringing their phones vs breaking their phones on another country? ----prompt what country their going to? ----ping the user on all logged in devices with activity thats someones trying to log in. i think google and amazon already uses this called 'OTP' they send it over to your email(mind you, you have to be logged in your email) ---lets check off all of these first and then give you this option.kinda thing -----an idea of a wireless SSD ring auth comes in mind for super auth purposes scenarios like this only. vs having to write down what recovery key. but this is super specific scenario... i too have encountered 2FA like... when my phone battery died. i was trying to login on the library computer...maybe prompting the user of simple 4 digit number combo before the phone dies? 2 image combo out of 9 images presented at front?


hell shit even only allow the users to view new emails from today,yesterday and before after only? and reply? i mean what do you need to do exactly anyways. access to your bank account? meow dats an entire different problem... much bigger problem.. view tickets???? only hell yeah that could work... hmm meowidk

have a button appear which allows restricted access only...


----https://www.youtube.com/watch?v=w1xmwN_XoJ4 super mario bros login -------users can take a 360 video of their room and them in it while saying a phrase [informing them: a room which they are frequently in but no1 else has access to (like your apartment)]lol


another preliminary to pass ---is their simultaneous activity going on different devices?


"My voice is my passport, verify me"


What are you trying to authenticate? A machine? A human?


Using methods like email or SMS magic links, QR codes, or biometrics instead of passwords.


Async cryptography? So tls certificates or passkeys. Even Kerberos tickets be part of that


Passwords are great, stop tinkering with stuff that isn't broken.


meow


The answer depends on what exactly you don't like in passwords.


i dont like anything in passwords not enough capitalized letters not enough numberrs too commonly used.. needs to be 100 characters long now do this for 15 websites


Yeah, use a freaking password manager. Or ask sites to use Passkeys. Again, this is a solved problem, as others are mentioning.


Password managers are seamless, too. On Apple devices, it’s either Touch ID or Face ID and it’s instant. Chrome it’s instantly typed in. Virtually zero effort.


Mynoise.net has logins that don’t require a password. I love it.

Who gives a shit if someone logs in as me on that site? And why would anyone bother?




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: