I just came across this:
https://blog.webmaker.org/one-less-password
Basically a technique for eliminating passwords as the primary authentication mechanism for connecting to a website by replacing it with your mobile device.
In the technical sense is this a more secure system or does it increase vulnerability because it now centralizes the location access is granted via (ie loose you mobile device and now access to your accounts is protected by a 4 digit pin).
I commend their effort to make the internet a safer and easier place to navigate.
The centralization risk is no different than with any other password manager in that if the password vault is compromised, it's all compromised. In this case, the physical device acting as the vault, and the handshake being mostly automated.
One-factor authentication is no more or less secure than existing methods in itself because the password itself is not the main weakness; The flavor of the moment in security circles is man-in-the-middle.
Adding two factor authentication, in use by Google products like Gmail, Outlook online, or RSA tokens was another layer of security, but here's an example of where e-mail account access was gained without the actual e-mail account. https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd. Once your e-mail is hacked, your other accounts are wide open.
So unless "one-less-password" addresses the entire stack, it's only providing a possible attack vector that is more or less an exercise in the same scope.
-Password enforcement, complexity
-encryption algorithm
-social engineering
-OS,browser hardening
-payment standards (PCI)
To really consider the ramifications of this, you will need to consider the adoption and spread of such technology before determining how much it will increase or decrease vulnerability. Right now, what it does, is send an E-mail message to the registered E-mail address of the account, (or in many cases, the E-mail address is the account name... which is another interesting issue altogether...) and the user then uses the one-time authentication link to gain access to the resource.
Some issues that I can see:
People will use the same E-mail address for their authentication. Right now, it seems convenient. It's simple, understandable, easy, and might reduce your password load. However, how often are people going to go create ANOTHER E-mail address? Almost never.
Widespread adoption shifts responsibility
This is something obscene really, in my opinion. So you send a message to an E-mail account that cannot use E-mail based authentication (or if it does, it has to terminate somewhere where there is an alternate form of authentication), and force the E-mail provider to carry the burden of authenticating your users for you. Brilliant. Let's just make THEM (competitors) carry the hashed and salted password databases and use their databases for authenticating our users. Don't you STILL need a password to access the resource? Yes. It's gotta end somewhere.
I don't like it. At all.
It's going to be less secure as it gains adoption because it focuses the point of failure. It may even be less secure now, because you have all of your eggs in one basket, and don't even have the benefit of compartmentalized damage. Not good.
