Hacker News new | comments | show | ask | jobs | submit login
A bold but simple login system (xoxco.com)
94 points by fufulabs 1697 days ago | hide | past | web | 96 comments | favorite

This would drive me up the wall. I don't want to have to sit in my mail client, waiting for it to pull down the message that may-or-may-not have arrived at my mail host yet, when it's incredibly easy to use a password manager for everything without having to leave my browser. He bemoans the number of controls you need to interact with to log in, but to get to log in with his method, I need to put in my email address (or take the time to find it in the list), interact with whatever control submits the form, switch to my email client (at least 1 control, probably more), refresh it to get the most recent messages (perhaps more than once), open the message, click the link, go back and close the window I used to start the login process in the first place, then switch back to the window with the app in it. Seems far more complex.

I don't buy his premise, either; he claims you need to interact with "6 different controls" to log in to Facebook, but (a) you only interact with 4 of them and (b) that's only the first time you log in from that computer. He's trying to solve a problem I have never experienced. I'm curious to see if others have felt overwhelmed by the number of controls on login forms; this is a problem I've never had.

The idea here is you only need to log in on a device once (or as often as you delete all your cookies). After that the site would remember you, so there really wouldn't be that much waiting on emails to arrive.

Definitely not something I would want for my bank account, but who cares for logging on to a support forum or some other trivial account.

So why not just make the session last forever the same way, but using a password instead of requiring me to login to my email and click a link? I logged into Facebook the first time and as long as I didn't delete cookies, I could go to Facebook on that device today, tomorrow, next week, next month, next year... And never have to put my password in again.

This just adds more waste...

Some people despise Facebook, but nearly everyone online has an email account.

Personally I would implement Facebook connect and have this email login system as an alternative.

Not really saying Facebook, but using Facebook as an example. They keep the session alive until you either delete the cookie, or the session from your control panel. Why deal with this email method when you can just keep the session alive forever unless they logout or delete cookies, after they have typed their password in?

First thing I thought too. The email validation step, in my opinion, is the most annoying part of signing up for any site. I often log in places on devices where I don't have access to my email, so this requirement would completely keep me off your site.

I guessed that in "interact" he included "inspect and make sure you don't need to touch it".

Someone needs a history of internet mail. It was never designed to operate in real time or be fast, whereas people expect logins to be fairly quick.

Also, using an email backchannel and one time keys moves the security from an encrypted connection (assuming SSL) to an unencrypted SMTP connection anyone can view...

Back in the good old days of UUCP you might wait a day or two to get mail from across the globe...

Who really cares what it was designed to do? The fact is, almost the entire userbase is going to receive that email before they can switch tabs to their email inbox. So even though it wasn't designed to be immediate, it is in practice, and we have a whole list of technologies that we use despite intent (HTTP wasn't designed to be stateful, and yet we use it as such constantly).

Mail transmitting is only sometimes encrypted, which is disappointing, but I've yet to hear of an instance where a user account was compromised when the forgotten password link was hijacked by listening to the wire between two mail servers. If it really is a problem, this could also be mitigated easily by only allowing the link to work on the browser that initiated the request.

Frankly, though, I'd love it if this system were implemented if for no other reason than to encourage mail servers to enable TLS on their SMTP backend.

I have had to wait couple of minutes for the email show up in gmail or few minutes for it to be delivered to outlook.

And I recently had to wait about two weeks to get an email from Channel 4 (UK TV channel) to confirm my email...

> So even though it wasn't designed to be immediate, it is in practice,

But that's by accident, not really by design, and because email isn't supposed to be immediate, and is often outside the user's control, there are very many things that can delay it.

The logic behind this system isn't terrible. But as others have pointed out, it still relies solely on a third party. And while it's true that exposing the entire user list would not give an attacker much in the way gaining access, it's still a leak of trackable information. I think a more secure solution would be to model an authentication standard after public/private key encryption. If all browsers would endorse it, the interface would be remarkably simple.

Present the end-user with a certificate management dialog when they open a browser for the first time. That would allow them to either browse for an existing certificate or create a new one. After one is created they're given a copy which could be used in any other browser at a later time. From that point on, each time a Web server requires authentication it could be handled behind the scenes. No log on page, no passwords, no user names; only aliases and a push button start. Signing up would become a one click affair, as well. Press the button, and the browser sends the public key to the Web server. A site gets hacked? Big deal, there are no vulnerable hashes -- only public keys. You would never be required to remember anything more than backing up your certificate. Worried about recovery? Do what you would do with SSH. Pop the cert on a thumb drive and hide it. Hell, even create a feature in that management dialog to do it for you.

This of course would require a large standards body and the involvement of every major browser company. But in the end, it would be easier.

I had to read this article twice to make sure I was understanding it right. I honestly see zero benefit in this approach. It does not speed up the login process at all. The only thing it accomplishes is not requiring the user to remember a password. Additionally, it puts way too much power in the hands of random email servers. What if my email system at the office goes down for a few hours. Am I locked out of all websites too?

I do agree with his point that memorizing passwords can get cumbersome, especially with different sets of rules for different logins. However, the majority of people store their passwords in their everyday browser or just stay logged in indefinitely.

The real solution to "doing away with passwords" lies in recognition technology on devices. What if my keyboard could recognize my identity and pass that along to authorized sites as login credentials? What if my iPhone could do the same? I'll defer the argument of privacy in visiting sites where you don't want your identity revealed for another time.

You only get locked out of a website if you delete your cookies while your email provider is down. How often does that happen?

This idea doesn't speed up the login process, but it accomplishes a few other useful things. The server doesn't store passwords, so a breach of the server doesn't compromise other services for which users had duplicate passwords. And users can't compromise their own accounts by choosing weak passwords. Both scenarios are commonplace.

To be fair, the user can still compromise all their accounts by choosing a weak password for their email account. It does reduce the onus on them from coming up with dozens of (hopefully) unique, strong passwords to one, which is certainly an improvement.

Valid points, especially the security issues.

What's the overlap of users who (a) have trouble with login forms and (b) leave their email open all the time (whether browser or dedicated app)? This relies on a very high level of comfort with email and context switching.

This could potentially introduce an increase in spam if users are now instructed to click on links in emails blindly as long as they match a site that they're familiar with.

Leaving one app/tab for another seems like bad UX to me. This doesn't seem any better than the OAuth dance, even if it uses a much more seemingly familiar mechanism.

This seems more ideal for mobile devices. Enter name -> email notification almost immediately and use that to log in. I personally think it would be easier and faster than attempting to enter a password using the on-screen keyboard.

On OpenRent [1] we're using the Google Identity Toolkit [2]. We're finding that in our current configuration it works extremely well, even for non technical users.

It offers password-less log-in, and also remembers your username/email client-side. The only issue is lack of support for facebook/twitter log in out of the box - but that is apparently in development.

It doesn't seem to be widely adopted, and that is possibly due to the reliance on Google servers it adds to your service. Whether that comes back to haunt us or not I don't know - but I have a backup system in place in case GITKit does stop working!

[1] - http://www.openrent.co.uk

[2] - https://developers.google.com/identity-toolkit/

Great site! Sadly I got an error trying to log in with Google.

Ouch - I don't seem to be able to reproduce it but we'll take a look. Do you mind emailing me on [redacted] to discuss?

Will do now :)

I honestly don't understand a lot of the comments in here. For starters, many websites (eg Twitter) require email confirmation for new signups and password resets. This is not so different, the UX related commentary is superficial at best. After the initial activation / a reset you're back to cookie based auth, just like most sites.

Second, there is not a single mention of the biggest problem with passwords currently: the apparent inability of many sites to store them securely. I'll take this method of authentication over a password based one any day for probably 90% of the sites I have an account with currently. Especially sites like HN (not implying insecure password storage on HN - just saying for any forum based sites, it's more than adequate IMHO).

Ben, I like where you're going but I think we need to go just a little bit further to make it viable. In particular, it's email that's the weak link (so to speak). But it's entirely possible and desirable to replace email with something that has emails positive qualities without it's drawbacks. I'm thinking a secure, realtime channel to which only you have access, and a notification system that let's you see (on all your devices) what got posted there. Anyone (or anything) in the world can post to it, and they are guaranteed that you'll get first crack at the data. (In this case the data is a one time URL).

What sort of thing represents a secure, real-time channel to which only you have access? Note that, unlike email, we are not interested in queueing messages in this channel. My first thought runs to a public URL, a place where anyone can post anything, and it will appear on all your devices (possibly within the browser).

So basically as long as you maintain credentials to access that channel, sites have a good way to give you a one-use login URL.

In an ideal world, you're browser would have a password protected private key and knowledge of what your personal URL is. All sites requiring login would ask the browser for that URL, and the site would send a one-time login URL to the channel URL, and the browser would be smart enough to just follow the link.

Bam, login nirvana.

OK, so i am going to go out on a limb here and assume that this WILL piss off a portion of your users.

That being said, can it work "halfway"? It seems the main benefit of this approach (from a UX standpoint, disregarding security etc.) would be to simplify things for people who always use one device and forget and reset their passwords all the time anyway.

What one could do is to simply reverse the prominence of the "enter password" and "reset password" steps of your login flow.

Enter your email, and get a big fat "Get Login Link" button below the field. Next to it is a small link that says "use password"

For most cases, I think the ideal is identity tied to the device/browser via an email address:


Exactly. As a developer I get back the email address of the user that has authenticated with the BrowserID server. That way it is easy to build a list of authorized users.

I suspect they will make a browser specific login workflow in which case you would not even need to be presented with a form asking you to auth as a user. Your browser would know your credentials already (which I guess is similar to login details autocomplete).

This is how Staticloud[1] works. You put in your email address and receive a log in link. You never have to register; registration and login are the same process.

[1] http://staticloud.com/

Yep this is the way to go the same in here:


Very interesting idea! Although I'm not sure that it would actually make it easier for users that don't do tabbed navigation (mom) to log from a second/public computer.

So, if elegant for power users, and 'not easier' for mom-users, should we implement it?

I agree that the UX isn't perfect, but neither is our current login/password system for every site. For me personally, if I don't use a site regularly my login process turns into: click forgot password link, check my email, reset the password, then login. Then again the next time I visit the site 3 months later. So if that's what we're going up against, the email to login session flow isn't too bad.

I remember being intrigued by Google's "Sesame" experiment (covered on HN at https://news.ycombinator.com/item?id=3469692) where they logged you in via a QR code processed via your mobile.

Relying on something you have (mobile phone with a trusted app on a trusted network) instead of something you know (passwords) can be an interesting choice. Ideally you'd require both (something you know and something you have), but we want to avoid passwords.

First things that come to my mind are privacy problems. This autocomplete would make it really easy to find out whether a person uses the service. (dating sites, porn sites, torrent sites, political sites,....). Additionally if the ologin happend only via the mail address, you could collect email addresses very easily from many websites.

Anyway, I like the idea of questioning the current way of user authentication!

There's always the argument that the register process leaks the same data. But having it appear in a dropdown makes it easier to incidentally see someone you might know.

I also felt login process should be simplified. I got two types of registration forms at my new website (www.survenator.com) - one is express where user only enters their email address and a highly secured password is email to them. Other is the complete registration form. Although the form is still kept very short. Users can change their passwords\other account information anytime.

Express registration may work for well for those who have hard time coming up with strong passwords or don't want to think about a password while doing another new registration. We started this feature as an experiment and will evolve\refine it based upon the usage.

Once the user confirms their account if they selected "remember me" checkbox then we don't require them to login, we just check for authentication cookie.

I do not agree with the author regarding his vision for "password reset tool feature to send the link in the email". Sometimes users want to take control of their password and do not want to remembered for security reasons.

I've been working on a demo of something similar. It's a work in progress, but I've got it running at http://nopassword.alexsmolen.com. Code at https://github.com/alsmola/nopassword.

Not only can you register and login with only and email, you can review and revoke your active sessions.

People who are complaining about the speed of email - the session could last indefinitely until you log out, which would reduce the number of times you had to perform the ceremony. Plus, think about the benefits of this when you need to authorize a TV, phone, etc. You can simply visit a link in your email instead of copying and pasting or typing in those form factors.

I'd also like to integrate SMS to support optional dual-factor authentication, which should get help fix the single point of trust problem.

Sending link to e-mail is exactly as dependent on third party as OAuth.

Non-power users (11 yo kids) maybe don't always have their inbox open/session active.

Best case scenario with one e-mail entry for multiple devices stand in conflict with link only being usable once.

Don't get me wrong, I think passwords are horrible but this post was just made in too much of a hurry.

Interesting topic!

Am I crazy in thinking that this whole problem should have been solved a long time ago by making password management a responsibility of the browser, either by baking it in or mediating the exchange?

Combined with a simple standard for credential exchange (get request to example.com/login to get the list of required fields, post to https://example.com/login to login. Or more likely, some existing standard that handles more cases and is already thought out) this whole annoying problem is no longer affecting every person who uses the web.

Is it too late for this? I feel that it probably would be very difficult to make this work now, it's too late and the browsers wouldn't go up against google and facebook who now want to own and track your identity.

That makes me sad, that kind of stagnation cuts off whole important areas of progress for web users.

Check out Mozilla Persona (used to be called BrowserID).


Yes, I remember that.

Ugly solution that didn't expose a UI for sites that didn't support it and still had plain username/password forms. So it's completely impossible to bootstrap this by making some of the features useful to browser users before it was widespread.

Needed a js library because it worked at the wrong level of abstraction and put browserid.org in the middle of the transaction for no sensible reason (well no sensible technical reason but a perfectly sensible political one).

This was not developed by someone thinking "how can we solve a problem our users have" but by someone thinking "it would be advantageous to be in the middle of login transactions and there is a user problem we could bolt that functionality on to".

The persona.org middleman is only used when your email provider doesn't support BrowserID. It is temporary.

It is useful to browser users today. You don't have to remember a new password for each site or become less secure by giving the same password out to multiple sites. I'm going to use it on the next site I build.

I should have been more clear. I don't like browserID because there is no route for this to become widespread except for "a significant portion of sites implement this".

You know that saying about any spam solution that begins with "well first we change email" is a stupid solution? Same issue here.

First you need a good password manager front and center in the browser. Then you start augmenting the experience by allowing better integration with the password manager through some standard. If the user already uses the functionality for every site and the experience is better on sites that implement the standard then you might actually see real amounts of integration.

As a web developer, I think that using BrowserID in its current state without browser support is better than implementing my own authentication. As a web user, I'd prefer to use BrowserID to sign up for sites than use individual authentication systems. A system that is better for developers and better for users has a clear path to adoption.

I agree. BrowserID is a good authentication solution.

It's not a solution to the problem we're talking about though, I'm complaining about a lack of solutions for easy credential management.

Once everyone implements it then sure, you only need to remember your email password. Unless you have multiple personas, then you'll have a bunch of passwords. And realistically there will be a lot of sites that have different systems or antiquated username/password forms.

So aren't we back were we started? I need a password manager and I'd like my browser to be aware of my password manager and help mediate. BrowserID would be a great place for it to send the appropriate password for sure.

I actually implemented a system very much like this on an internal company network recently. For that purpose, it worked great. I don't think it would work in an open, public context, not least because an attacker can force your site to spam its users. However, when you are going to stay logged in forever on basically the same devices, having an email-based login system without a password is no more pain for the user than a verification email (since that's all you're doing anyway). Essentially you're relying on the website to generate a local, device-specific, secure password instead of requiring the user to create and remember a (likely insecure) password themselves.

Why accounts should have anything to do with email or email address. It's bad policy and I hate it. We all know that email isn't secure. For many sites I would like to disable password recovery due these inherit security issues related to email. If you ever login to Gmail, after that you have always clear all cookies and cache data and possible super cookies. After that you would need to login (again) to email to uh oh, access other sites. Afaik this is super bad idea. Naturally you could save the link as bookmark, which would work. But security would still suck.

Apple should augment a single sign-in mechanism with a transparent 2nd factor embodied in the iPhone. This would result in your being automatically logged into any participating site while using Safari on the same LAN as your iPhone. The mechanism would fall back to the traditional password if you don't have the phone. Bluetooth could also be used to communicate to the hardware.

The hardware would only run signed Apple firmware and be separated from the CPU and most of the rest of the device, except for access to radios.

so how does it differentiate between me and my wife, on the same network?

In this scheme, you and your wife would have different phones. You might still have to put in your user name to the browser once at the start of the session, or log out your wife.

Google already does this with Chrome and Google websites.

I don't have to enter my second factor with credential or even my password when using Gmail from my phone, tablet, laptop or desktop.

At this point, I actively seek out Google account login options. It is so incredibly pleasant to use on Android.

Yes, but I'm not so sure that's really two-factor authentication.

Outside of transfering money, I think you should structure your site so that logins are not necessary. For example, if I wasn't the only "drcube" on Hacker News, I wouldn't be upset. Names in meat space aren't unique, why should we expect them to be on the web?

Next time you think about starting a web service (that doesn't handle money!), think about what you lose by getting rid of user accounts entirely. It probably isn't much.

> think about what you lose by getting rid of user accounts entirely. It probably isn't much.

This gets to the heart of identity! It often doesn't matter. For example, one could clone HN using anonymous accounts. You'd give up only karma and connection between messages. It would be, essentially, something like usenet where you have a choice to "brand" every message you send with an identity - or not. Let's call this "Broadcast Identity".

Then there is something else which is your "Legal Identity" and it's the one most closely associated with all things money. It's the one that you need to deal with financial obligation, going in both directions. When you buy something, you want it to come to you, not to some one else.

Interestingly, I don't think that targeted ads really care about the connection between Broadcast and Legal identity. This implies that, no, you probably won't lose much by losing user accounts.

Actually, I take that back. The one thing that sites want and need is a way to proactively contact you. Aha! I think I just stumbled on the real reason we keep logins around - to get the email address, so we can send newsletters, reminders, etc. To prod the user into using our service more. To remind them that we exist, to be obtrusive, because our value isn't intrinsically strong enough to remind them.

A way to streamline this even further might be to pair it with a browser extension designed to poll your inbox for these specific messages. When received, the extension could handle the login step, eliminating the need for the user to jump to their inbox for the validation email. I'm not sure if that kind of extension could be created so that it didn't compromise the security of your inbox.

I don't think it's the order of the elements, I think it's the combination of the elements and the process of entering them. See Ford's (yes Ford's) experiment for proximity based automatic login/logout with your phone.


I definitely find this topic interesting and have a hard time remembering all my passwords, but I'm not fan of this solution. Honestly, how isn't this just a worse implementation of OAuth? It seems equivalent to clicking a "login via gmail" button, except with more of a lag?

The main other difference I can see is that one button actually functions as "login via gmail, hotmail, yahoo mail, or any other countless email providers", and no work needs to happen on the email provider's end to make it work. Lots of people don't want to sign up for FB or Twitter, but basically everyone has an email account.

Here's an idea, if you allow me to choose From a list of users, then I'll continuously "spam" other users' inboxes with login link messages.

We could suggest that Facebook implement something like this. Seeing a login control containing 950MM names would be rather comical.

At a very high level, I like this idea. It would be great if there was browser support to super-persist the auth tokens (cookies) through cookie-clearing and also sync between browsers on machines -- most likely via a browser plugin.

So going from a "bad" login form with 6 controls to a "simpler" login where I now have to interact with the site's form, my browser, and my email client is somehow better?

This is just silly and a login form like this would drive me crazy

This means the second someone loses access to their email account, they lose access to every account on every system attached to it via this method. I'm not sure introducing a single point of failure is a good idea.

This is true already for pretty much every website that lets you recover password by email, and most allow this. Any that use a secret question wouldn't switch to this scheme anyway. It reduces the hassle, as if your email got compromised, and they change passwords to all your other accounts, you have to regain access one by one, changing passwords back and so on, when with this email system, you can just regain access to the email account and the rest are under your control again.

While True, isn't browserID piggybacking on this? Using your email as the "persona"? An accidental benefit would be any service that implanted this would be automatically two-factored for users who have a two-factor system enabled. I like the thought of that.

Sending people away from your website in order to access your website is bad UX.

Passwordless authentication done right is a subject in here, try to break the auth and let me know...


An invalid SSL cert is already broken auth.

I personally think this could work. The big show stopper occurs on a shared computer. It would be annoying to get logged out of a service daily and have to request a new email link to log back in.

Thinking of it for enterprise users it could really work.

Enterprise users seem to be on Outlook all the time checking their e-mails so this would work if you can't tie your passwords into AD/Exchange.

Maybe have an option to have a token that can be entered or a link clicked.

I get all my e-mails on my phone so if I received a code that I can enter in my phone that can work. I could also click a link in Outlook and be logged on.

Now if someone has my phone which is receiving my e-mails and they enter the e-mail on a website and receive the secure login we got a big problem. I don't know how to get around that.

Interesting discussion, but some flaws. I would think it requires some sort of 2-factor auth to save people whose e-mail addy is compromised.

Now if someone has my phone which is receiving my e-mails

At work we have a policy that smart phones are locked by a PIN. No PIN, no email.

This is not ideal: no mechanism to enforce 'good' PINs, force a user to change them on a regular basis.

Good point.

How about a page showing all the currently logged in sessions. Then you can log out ones that shouldn't have access.

Please, somebody figure out how to get us over the hump to the bright future day when we all have asymmetric keys embedded in hardware and we can leave passwords behind.

Please, somebody figure out that when you embed asymmetric keys in things, when people lose those things they'll get really angry


Please, somebody figure out that when you embed asymmetric keys in people's bodies, we'll end up with a lot of geeks with their hands hacked off with machetes.

"Hacker" would have a really different meaning then...



Guess what? Even worse usability.

I suspect the usability problems could be solved.

Will/Should never happen. Human != device, and it's the human we want to identify to personnalize the service.

I have a text document on my computer that lists all the websites/programs with username/password. I also use autocomplete (which IMO is basically the same as having a document with all passwords.) I can have unique passwords for every single website without relying on a third party cloud solution. And for the passwords I use often, I have them memorized anyway.

If something is compromised (which has happened) then I have a list of every single site where I have an account, and can change the passwords.

A side benefit to this is if someone needs to access something (most likely while traveling, or if I'm dead) all the information is there for them.

What if the thing that is compromised is the computer with the text file?

How is your solution better than a third-party cloud solution?

One obvious benefit is that you aren't trusting anyone else with your passwords.

Reputable password sites can't unencrypt your passwords. You trust the site to not have XSS flaws and to not be malicious. Outside of banking and email passwords, that doesn't seem like a huge risk.

The problem with "solutions" like these is that they start with faulty premise that "passwords are broken". This particular idea sounds like death by a million cuts.

Read this article from a few years ago http://www.uie.com/articles/three_hund_million_button/

It is titled "The $300 million button" and details actual user experience at an ecommerce site. Note how many users even know what email address they used, how many got the password right, daily password resets etc.

That article indicts registering to purchase and has almost nothing to do with the password topic in question. Can you imagine having to wait for a login email every time you tried to make a purchase? Ugh!!

I don't want people knowing what services I signed up for even if mainstream. Anytime you leak any user info you potentially weaken security.

This could really work well paired with an phone app that gets notifications instead. I use a VPN system that works like that.

having the user select field list all users is not so bad, but the email a login link is a terrible idea, this is a break is workflow worse than a password.

Even most incompetent users like my mum save their password into the browser keychain so it ends up bring only a single click anyway.

Things like browserID are solving this far more simply.

and you still need a password to access your email account. let's assume you are at a friends place and want to login somewhere...you have to grab your phone to get your secure webmail password, login on gmail/etc. click the link. a real timesaver...

What happens when multiple people use a device? Like iPad or family computer?

So what happens when someone's email account is compromised?

Currently there's a fair chance that the victim can reset passwords and change contact info for their online services before the hacker bothers to do so. But this would be impossible if email were used as the sole form of authentication.

The same thing that happens now. Malicious user can recover/reset their password.

I'd assume that if you used the email to login and since the article talks about also using cookies with expiry dates in the future the codes in emails would be single use.

What if someone forgets the password of email system? :)

This exact system was just on the front page last week.

Just use BrowserID.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact