So this is essentially delegating authentication to the user's Email service. Delegating authentication seems like a good idea: fewer passwords to forget and more conveniene. So why not delegate to a proper authentication service like OpenID?
(Seriously, that's a question: Why don't more people use OpenID? Is there something wrong with it?)
> So this is essentially delegating authentication to the user's Email service. Delegating authentication seems like a good idea: fewer passwords to forget and more conveniene. So why not delegate to a proper authentication service like OpenID?
Because the user is more likely to have email than OpenID, so delegating to an option of one or the other is more complex, and delegating to only the latter is limiting your market.
But either way the user has to sign up to something. When you delegate to Email you still have to initially create an account with the site's specialised authentication system. You'd just replace that process with creating an OpenID account.
But yeah, I guess saying "now go to this 3rd party website and create an OpenID account" is pretty ugly. I wonder if it's possible to have your own "sign up" page that's a proxy for creating an OpenID with a 3rd party provider?
Mozilla Persona [0] is a similar system that IMO would work quite well, but unfortunately there is very little adoption. It's kind of weird and sad to think about quality/usability of software versus the adoption of said software.
There was an interesting discussion of the problems of Persona here https://news.ycombinator.com/item?id=7243141
(this is kind of in the middle of a conversation but has the first post by Saurik which is the interesting bit)
OpenID is basically a permanent man-in-the-middle. It's otherwise great, so long as you don't mind your OpenID identity provider knowing about every site/service you use, and every time you choose to use them. Persona is a big step forward in that regard, but neither get around the fact that, in most cases, users are going to be entrusting control over a bunch of their accounts to a third party.
OpenID Connect is what you'd want to support, not OpenID 2.0. Google, probably the largest OpenID provider, is shutting down OpenID 2.0 support altogether in a year, and has turned off access to new clients as of this month. Thus, issue 1: access to your app is suddenly reliant on a third party, who can at any point decide to turn that access off.
Issue 2: tech-phobic people don't trust OpenID, OAuth, etc. I'm working with a client who wanted "single sign on" with a tolerated competitor in the same space (nonprofit, don't ask); that competitor's tech guy advocated for OpenID, and OpenID became a hard requirement. The problem: the client's membership fought tooth and nail throughout alpha & beta rollouts (change is scary. are we giving google/yahoo our information? we don't understand it. we're not a bank, why do we need tighter authentication? etc) and it was eventually scrapped in favor of a traditional login.
Although they say it is a "one time password" which is smart, email is still assumed to be not secure. Like for example, you wouldn't want to send your SSN through email because servers along the way can possibly sniff it. So, while it seems safe in most situations to do this, I feel that it probably isn't 100% safe but maybe good enough for most people.
What is the risk though? If someone did steal your one time link and get into the app could you somehow prevent them from continuing to access it? And what could they do in the app -- change your address and buy stuff on your credit card and send it to themselves? Feels like there is just some tiny level of risk here that probably wouldn't happen... but I wouldn't feel completely safe with this.
The way I see it, every single app that uses email for password resets (usually by emailing a link, sometimes a code) already relies on the security of email.
Even if you have the most secure password in the world, if an attacker compromises your email account, they can simply send a password reset email. It's the weakest link.
A friend of mine has been very passionate about the idea of getting rid of passwords and built a proof of concept version of this a few months ago [0]. He also gave a very good talk about it at a JavaScript meet up [1].
Yeah, it's assuming your email provider has very strong security. If you're using gmail, yahoo, ms or any reputable provider, it probably is pretty secure.
I've always thought waiting for a damn registration email was the worst part of the typical sign-up process. Not sure this saves much user frustration.
Drop the email field altogether and you might have something refreshing.
I think this is a positive move. My gmail for instance is one of the better-protected services I use: I have a ludicrous password and 2FA. The reset options only include dialling my mobile (not voicemail) or emailing another account (which isn't otherwise associated with me to anyone who knows me), which is also protected by a strong password.
Why not allow Apps to not use passwords in this case?
In addition (for me) the app would be on my mobile, which is passcode protected (and fingerprint). Beyond that security you have full access to my email anyway, so what's any additional app password going to provide?
since you need the device (which you're presumably steeling) AND the passcode for it, does this make it 2FA? I think I've read Apple claim as much in a Data Protection document, but I wonder whether you can really count the device you're trying to log in TO as one of the Factors?
I have a question. Why not SMS? Is it because sending an SMS globally is more of a hassle then sending email? Or that with email we assume the entire channel has some protection layer to it, where as in SMS the security is due to the fact that we're using an entirely different channel? Simply intercepting an SMS (if you actually manage to do that) won't be enough as you would also need the username. In the email approach, don't most places use your email as a username??
I am just talking generally, not specific to this app
I don't know who started this, but I've noticed recently after installing Slack app on Android that they went the same way. I found it very convenient. After all anyone can reset my password using email so why bother creating it all? Just send me the auth token as link in email. The app registers itself to open on such link and it works nicely.
I like the idea. It's essentially SFA, Single Factor Authentication, opposed to MFA, but chose the "what you have" aka an email factor rather than "what you know" aka a password.
From a compliance standpoint (ignoring security feature), would this be allowed?
From a security standpoint, not sure this is any better/worse than social login or receiving an SMS. Most of the time you have all these portals (including email) already authenticated so it doesn't really make a difference which you use. The nicety is that you can basically track your logins through email which is pretty neat.
From a usability standpoint, I feel like an SMS would make more sense? I turn off push notifications for email because I receive too many, but I'd be able to read the number from the text and type it in right away (assuming that you'd use standard MFA tokens). Maybe the difference is more between using a 6-digit PIN instead of a link than the source it's received.
"Why do you need people's name and email? The above screenshot looks like an APP. You already have a way to reach them: in-app notifications. And why do you need their name until they purchase something?"
But ironically, the resulting page said "Please enter correct password. Spam free wordpress." LOL
As for name and email -- Shop It To Me is not just an app but also a website and email service and so we need a way to link them all together. If we did not have an email and the member lost their phone, they'd lose their account forever.
> You already have a way to reach them: in-app notifications.
People have to opt-in to in-app notifications. If they press no intentionally or accidentally, recovery is far, far more difficult. Email is much easier and more controllable than notifications.
> Email is much easier and more controllable than notifications.
True, but not for the user. I would much rather accept notifications than type in my email address. I avoid the risk of getting spammed, don't need to decide what email to use, don't need to decide if I trust the developer. And with app notifications, the ability to unsubscribe is much more consistent and reliable.
I don't think this is a great solution for highly sensitive information like banking - most people have lots of different devices that receive their email and just one "weak" link could give malicious access.
That being said, for sites this that are more concerned with "verification" than "authentication" this seems like a viable approach.
It seems not much less secure than a system that lets you reset your password simply by clicking a link in an email (which is to say, most password-based systems on the web). Either way, once you have access to the email account, you can authenticate.
To me, this just seems a little silly. I can't imagine how difficult it will be to maintain a persistent, user-friendly account with this method. An emailed link every time a user wants to log in? Just plain silly.
Passwords are still widely used, and for good reason. I partially accept your point of passwords not being very secure, but why not just spend some time implementing a 2FA login method, instead of this?
Well, bye bye users.
Greylisting is so common these days - emails don't arrive straight way. Who wants to wait 5 minutes (assuming your mailserver tries that often on a greylist) to login to an app?
Appreciate what they're trying to do, but I think this is a bad idea.
edit: As tootie points out, it would be possible to use a "whitelisted" company.
This can be mitigated by paying a mass mailing company that's on all the whitelists. Of course, the makes it sort of a racket, but at least it's an option.
I havent followed too closely the state of secure email delivery, but I would guess that even today a huge percentage of people both send and receive email in clear text over easily intercepted links.
this option only makes sense if email delivery can be guaranteed to be secure, and the recipient has non-password-based (two factor) auth.
Well, currently almost all password resets work over email. If you can read my email, you can reset all passwords for my bank accounts, shopping site accounts, etc. this solution is no worse than others.
Unless I'm misunderstanding something, if someone has access to my email they can just login right?
That doesn't sound very safe. Does this use some form of OTP that's passed via a special URL that only works with the mobile app? If so that sounds better than what I'm thinking.
Well, that's true of most services, right? If they have access to your email, they can just click the 'reset password' link on a site and use the resulting email link to log in.
> if someone has access to my email they can just login right?
The article says that it's a one-time link, so I assume that means that the same link can't be used twice. If someone had access to my email, they'd have to use that link before me, which is a very small window of time (submitting the form in the app and then opening an email, ~15 seconds tops).
Or, you know, just request a new login link, use it and delete the email. If they are fast enough you won't even notice the notification on your phone.
me too.. it's more likely to be a token that's cookied and sent over SSL per api request. Same token that would get generated if they auth'ed via password.
I agree that on a mobile device you should only have to log in once and be remembered forever (if someone compromises your phone, you have bigger issues), but I think that requiring a password (or OAuth, etc) on a non-mobile experience is a pretty good idea.
Couldn't a secret URL with unique id be generated the first time you use a website that requires login (bookmarks would preserve passwords)? I guess you could make it long enough to prevent over-the-shoulder attacks and of course you would need HTTPS.
Wouldnt the unique identifier or Auth token be the password? Sure it is more convenient for the User not having to remember there password, but it is not necessarily more secure.
(Seriously, that's a question: Why don't more people use OpenID? Is there something wrong with it?)
http://openid.net/get-an-openid/what-is-openid/