13

The state of logins is horrendous. With each site having it's own rules for passwords, it can be very hard to remember what variation you used on any given site. Logins are pure pain. One thing I love about Craigslist is that it did away with logins altogether. I know this design may not suit every site, but there's something to their design that beckons to be repeated.

OpenID is great on sites that have adopted it, but it's still not standard.

Would it be feasible/wise to use an email address as a login and provide no password? The site would send a short-term key directly to your email address. You click on the link and you're in. When you're done, you "logout" and your key is terminated.

I've toyed with this idea before. What concerns (i.e. spammers, bots, etc.) would make this impractical or unsafe and could they be overcome?

Mario
  • 423
  • 4
  • 11
  • In my opinion, I would rather have something to remind me of my passwords rather than having to access anytime I want to log into a website. With many log ins to do, it would take ages :( –  Sep 06 '12 at 22:46
  • 2
    Similar ideas have been studied. See [SAW](http://www.itr-rescue.org/pubs/upload/836_van%20der%20Horst2008.pdf). – mikeazo Sep 07 '12 at 13:21
  • Security should be provided at the cost of simplicity. If it is going to take ten minutes for just a single log in ( giving the email id, and going back to your account and clicking for log in) then it is not the best thing to do anyway, even if it gives you an extra sense of security ! – Ebenezar John Paul Nov 12 '13 at 05:13

4 Answers4

9

This idea has been covered on the following questions:

  • If I include a Forgot Password service, then what's the point of using a password? discusses sending a link by email, as the way to authenticate you. It discusses some improvements, such as how to avoid requiring the user to wait for email to arrive and click a link every time they want to log in. It also discusses some challenges, such as the reliance upon the user's email provider and the user's email password.

  • How to implement non-password authentication in a web site discusses, more generally, ways to authenticate the user without using a password. It discusses the use of persistent cookies to remember the user, so they only have to log in once on any particular computer, and then there is no need to enter a password again on subsequent visits. This is a great way to authenticate users and reduce the need to type in passwords. It can also be combined nicely with email-based authentication, as is discussed in the answers there.

So, read the answers on those questions. I think you'll find that they already cover the sort of ground you were thinking of. Enjoy!

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572
4

Interesting idea, just a few immediate concerns...

  • Emails being delayed or not being able to access your email (on a public machine) could prevent the user from logging in.

  • Emails are not secure. They are transmitted in plain text. Temporary passwords sent via email are usually only used for first time sign-ups which are then required to be changed immediately on first login. Basing your entire authentication system on this method really opens you up for being hacked... every login is sent via email.

  • I don't think you'd realistically be able to store any personal information with the account, which presumably would otherwise be associated with the email address (the id).

  • "Hhmmm, which email address did I use with this site?" - back to the problem of remembering which password. Although this might not be a problem if it is a casual login and you are not storing any (personal) information in the account (as mentioned above). Although presumably you would want to authenticate returning visitors somehow?

MrWhite
  • 294
  • 1
  • 2
  • 15
1

With each site having it's own rules for passwords, it can be very hard to remember what variation you used on any given site.

I disagree. It's important to pick a strong password to start, and should work on any site. Also a bad idea in general to use the same password and email on multiple sites. (From experience, I Googled my email address once, and found that someone posted the logins for 10k people from one site I visited. I was indeed using the same password on two other sites at the time. Luckily, none were broken into.)

OpenID is great on sites that have adopted it, but it's still not standard.

That's what time is for. More sites will adopt some sort of system similar to this. Especially with the rapidly evolving web technologies, and social media, it will become a standard. Just wait.

What concerns (i.e. spammers, bots, etc.) would make this impractical or unsafe?

You would really need to implement some sort of delay, perhaps one second, between when someone can log in (prevent bruteforcing).

Is it doable?

Anything is doable. You would have to code this yourself, just like any normal login form.

In all, you there are so many other reasons NOT to have email-only authentication.

  1. Email addresses are public. Couldn't you use your friend's email address on the site and hope he also is a member? That's almost like leaving a box of explosives in the center of your town on a bench.
  2. What happens if someone changes/cancels their email address? Do they need to register a new account?
  3. Password hashes and salts are stored for user security (encryption of data by salt?) Using an email address is like leaving the keys in your ignition with the windows down.

Please, don't make the internet any more of a dangerous place.

  • 3
    *"Email addresses are public. Couldn't you use your friend's email address on the site and hope he also is a member?"* - I think you have misunderstood the proposal. The proposal was that a link would be sent to the email address you entered. You can enter your friend's email address (or your enemy's email address), but since you don't have access to their inbox, you won't be able to click the link and you won't be able to log into the website as them. – D.W. Sep 08 '12 at 05:44
0

In lieu of using LastPass and similar services, this actually sounds like a pretty good idea, though I'd couple generating a strong password (for future log ins) in the e-mail sent to the user as part of the post-registration process -- if only to lower the barrier of entry. At the very least you'll be able to prove that the user isn't a bot (expire / remove accounts that haven't verified via the link to do so in their e-mail after 48 or less hours) and transfer more accurate moderation afterwards to a human(s).

So, in short, I think it's definitely feasible though it could place some additional strain on after-registration validation and moderation.

stealthyninja
  • 101
  • 1
  • 1
  • 6