This would drive me up the wall. I don't want to have to sit in my mail client, waiting for it to pull down the message that may-or-may-not have arrived at my mail host yet, when it's incredibly easy to use a password manager for everything without having to leave my browser. He bemoans the number of controls you need to interact with to log in, but to get to log in with his method, I need to put in my email address (or take the time to find it in the list), interact with whatever control submits the form, switch to my email client (at least 1 control, probably more), refresh it to get the most recent messages (perhaps more than once), open the message, click the link, go back and close the window I used to start the login process in the first place, then switch back to the window with the app in it. Seems far more complex.
I don't buy his premise, either; he claims you need to interact with "6 different controls" to log in to Facebook, but (a) you only interact with 4 of them and (b) that's only the first time you log in from that computer. He's trying to solve a problem I have never experienced. I'm curious to see if others have felt overwhelmed by the number of controls on login forms; this is a problem I've never had.
The idea here is you only need to log in on a device once (or as often as you delete all your cookies). After that the site would remember you, so there really wouldn't be that much waiting on emails to arrive.
Definitely not something I would want for my bank account, but who cares for logging on to a support forum or some other trivial account.
First thing I thought too. The email validation step, in my opinion, is the most annoying part of signing up for any site. I often log in places on devices where I don't have access to my email, so this requirement would completely keep me off your site.
Someone needs a history of internet mail. It was never designed to operate in real time or be fast, whereas people expect logins to be fairly quick.
Also, using an email backchannel and one time keys moves the security from an encrypted connection (assuming SSL) to an unencrypted SMTP connection anyone can view...
Back in the good old days of UUCP you might wait a day or two to get mail from across the globe...
Who really cares what it was designed to do? The fact is, almost the entire userbase is going to receive that email before they can switch tabs to their email inbox. So even though it wasn't designed to be immediate, it is in practice, and we have a whole list of technologies that we use despite intent (HTTP wasn't designed to be stateful, and yet we use it as such constantly).
Mail transmitting is only sometimes encrypted, which is disappointing, but I've yet to hear of an instance where a user account was compromised when the forgotten password link was hijacked by listening to the wire between two mail servers. If it really is a problem, this could also be mitigated easily by only allowing the link to work on the browser that initiated the request.
Frankly, though, I'd love it if this system were implemented if for no other reason than to encourage mail servers to enable TLS on their SMTP backend.
The logic behind this system isn't terrible. But as others have pointed out, it still relies solely on a third party. And while it's true that exposing the entire user list would not give an attacker much in the way gaining access, it's still a leak of trackable information. I think a more secure solution would be to model an authentication standard after public/private key encryption. If all browsers would endorse it, the interface would be remarkably simple.
Present the end-user with a certificate management dialog when they open a browser for the first time. That would allow them to either browse for an existing certificate or create a new one. After one is created they're given a copy which could be used in any other browser at a later time. From that point on, each time a Web server requires authentication it could be handled behind the scenes. No log on page, no passwords, no user names; only aliases and a push button start. Signing up would become a one click affair, as well. Press the button, and the browser sends the public key to the Web server. A site gets hacked? Big deal, there are no vulnerable hashes -- only public keys. You would never be required to remember anything more than backing up your certificate. Worried about recovery? Do what you would do with SSH. Pop the cert on a thumb drive and hide it. Hell, even create a feature in that management dialog to do it for you.
This of course would require a large standards body and the involvement of every major browser company. But in the end, it would be easier.
I had to read this article twice to make sure I was understanding it right. I honestly see zero benefit in this approach. It does not speed up the login process at all. The only thing it accomplishes is not requiring the user to remember a password. Additionally, it puts way too much power in the hands of random email servers. What if my email system at the office goes down for a few hours. Am I locked out of all websites too?
I do agree with his point that memorizing passwords can get cumbersome, especially with different sets of rules for different logins. However, the majority of people store their passwords in their everyday browser or just stay logged in indefinitely.
The real solution to "doing away with passwords" lies in recognition technology on devices. What if my keyboard could recognize my identity and pass that along to authorized sites as login credentials? What if my iPhone could do the same? I'll defer the argument of privacy in visiting sites where you don't want your identity revealed for another time.
You only get locked out of a website if you delete your cookies while your email provider is down. How often does that happen?
This idea doesn't speed up the login process, but it accomplishes a few other useful things. The server doesn't store passwords, so a breach of the server doesn't compromise other services for which users had duplicate passwords. And users can't compromise their own accounts by choosing weak passwords. Both scenarios are commonplace.
What's the overlap of users who (a) have trouble with login forms and (b) leave their email open all the time (whether browser or dedicated app)? This relies on a very high level of comfort with email and context switching.
This could potentially introduce an increase in spam if users are now instructed to click on links in emails blindly as long as they match a site that they're familiar with.
Leaving one app/tab for another seems like bad UX to me. This doesn't seem any better than the OAuth dance, even if it uses a much more seemingly familiar mechanism.
This seems more ideal for mobile devices. Enter name -> email notification almost immediately and use that to log in. I personally think it would be easier and faster than attempting to enter a password using the on-screen keyboard.
On OpenRent [1] we're using the Google Identity Toolkit [2]. We're finding that in our current configuration it works extremely well, even for non technical users.
It offers password-less log-in, and also remembers your username/email client-side. The only issue is lack of support for facebook/twitter log in out of the box - but that is apparently in development.
It doesn't seem to be widely adopted, and that is possibly due to the reliance on Google servers it adds to your service. Whether that comes back to haunt us or not I don't know - but I have a backup system in place in case GITKit does stop working!
I honestly don't understand a lot of the comments in here. For starters, many websites (eg Twitter) require email confirmation for new signups and password resets. This is not so different, the UX related commentary is superficial at best. After the initial activation / a reset you're back to cookie based auth, just like most sites.
Second, there is not a single mention of the biggest problem with passwords currently: the apparent inability of many sites to store them securely. I'll take this method of authentication over a password based one any day for probably 90% of the sites I have an account with currently. Especially sites like HN (not implying insecure password storage on HN - just saying for any forum based sites, it's more than adequate IMHO).
Ben, I like where you're going but I think we need to go just a little bit further to make it viable. In particular, it's email that's the weak link (so to speak). But it's entirely possible and desirable to replace email with something that has emails positive qualities without it's drawbacks. I'm thinking a secure, realtime channel to which only you have access, and a notification system that let's you see (on all your devices) what got posted there. Anyone (or anything) in the world can post to it, and they are guaranteed that you'll get first crack at the data. (In this case the data is a one time URL).
What sort of thing represents a secure, real-time channel to which only you have access? Note that, unlike email, we are not interested in queueing messages in this channel. My first thought runs to a public URL, a place where anyone can post anything, and it will appear on all your devices (possibly within the browser).
So basically as long as you maintain credentials to access that channel, sites have a good way to give you a one-use login URL.
In an ideal world, you're browser would have a password protected private key and knowledge of what your personal URL is. All sites requiring login would ask the browser for that URL, and the site would send a one-time login URL to the channel URL, and the browser would be smart enough to just follow the link.
OK, so i am going to go out on a limb here and assume that this WILL piss off a portion of your users.
That being said, can it work "halfway"? It seems the main benefit of this approach (from a UX standpoint, disregarding security etc.) would be to simplify things for people who always use one device and forget and reset their passwords all the time anyway.
What one could do is to simply reverse the prominence of the "enter password" and "reset password" steps of your login flow.
Enter your email, and get a big fat "Get Login Link" button below the field. Next to it is a small link that says "use password"
Exactly. As a developer I get back the email address of the user that has authenticated with the BrowserID server. That way it is easy to build a list of authorized users.
I suspect they will make a browser specific login workflow in which case you would not even need to be presented with a form asking you to auth as a user. Your browser would know your credentials already (which I guess is similar to login details autocomplete).
This is how Staticloud[1] works. You put in your email address and receive a log in link. You never have to register; registration and login are the same process.
Very interesting idea! Although I'm not sure that it would actually make it easier for users that don't do tabbed navigation (mom) to log from a second/public computer.
So, if elegant for power users, and 'not easier' for mom-users, should we implement it?
I remember being intrigued by Google's "Sesame" experiment (covered on HN at https://news.ycombinator.com/item?id=3469692) where they logged you in via a QR code processed via your mobile.
Relying on something you have (mobile phone with a trusted app on a trusted network) instead of something you know (passwords) can be an interesting choice. Ideally you'd require both (something you know and something you have), but we want to avoid passwords.
First things that come to my mind are privacy problems. This autocomplete would make it really easy to find out whether a person uses the service. (dating sites, porn sites, torrent sites, political sites,....). Additionally if the ologin happend only via the mail address, you could collect email addresses very easily from many websites.
Anyway, I like the idea of questioning the current way of user authentication!
There's always the argument that the register process leaks the same data. But having it appear in a dropdown makes it easier to incidentally see someone you might know.
I also felt login process should be simplified. I got two types of registration forms at my new website
(www.survenator.com) - one is express where user only enters their email address and a highly secured password is email to them. Other is the complete registration form. Although the form is still kept very short. Users can change their passwords\other account information anytime.
Express registration may work for well for those who have hard time coming up with strong passwords or don't want to think about a password while doing another new registration.
We started this feature as an experiment and will evolve\refine it based upon the usage.
Once the user confirms their account if they selected "remember me" checkbox then we don't require them to login, we just check for authentication cookie.
I do not agree with the author regarding his vision for "password reset tool feature to send the link in the email". Sometimes users want to take control of their password and do not want to remembered for security reasons.
Not only can you register and login with only and email, you can review and revoke your active sessions.
People who are complaining about the speed of email - the session could last indefinitely until you log out, which would reduce the number of times you had to perform the ceremony. Plus, think about the benefits of this when you need to authorize a TV, phone, etc. You can simply visit a link in your email instead of copying and pasting or typing in those form factors.
I'd also like to integrate SMS to support optional dual-factor authentication, which should get help fix the single point of trust problem.
Am I crazy in thinking that this whole problem should have been solved a long time ago by making password management a responsibility of the browser, either by baking it in or mediating the exchange?
Combined with a simple standard for credential exchange (get request to example.com/login to get the list of required fields, post to https://example.com/login to login. Or more likely, some existing standard that handles more cases and is already thought out) this whole annoying problem is no longer affecting every person who uses the web.
Is it too late for this? I feel that it probably would be very difficult to make this work now, it's too late and the browsers wouldn't go up against google and facebook who now want to own and track your identity.
That makes me sad, that kind of stagnation cuts off whole important areas of progress for web users.
I actually implemented a system very much like this on an internal company network recently. For that purpose, it worked great. I don't think it would work in an open, public context, not least because an attacker can force your site to spam its users. However, when you are going to stay logged in forever on basically the same devices, having an email-based login system without a password is no more pain for the user than a verification email (since that's all you're doing anyway). Essentially you're relying on the website to generate a local, device-specific, secure password instead of requiring the user to create and remember a (likely insecure) password themselves.
Why accounts should have anything to do with email or email address. It's bad policy and I hate it. We all know that email isn't secure. For many sites I would like to disable password recovery due these inherit security issues related to email. If you ever login to Gmail, after that you have always clear all cookies and cache data and possible super cookies. After that you would need to login (again) to email to uh oh, access other sites. Afaik this is super bad idea. Naturally you could save the link as bookmark, which would work. But security would still suck.
Apple should augment a single sign-in mechanism with a transparent 2nd factor embodied in the iPhone. This would result in your being automatically logged into any participating site while using Safari on the same LAN as your iPhone. The mechanism would fall back to the traditional password if you don't have the phone. Bluetooth could also be used to communicate to the hardware.
The hardware would only run signed Apple firmware and be separated from the CPU and most of the rest of the device, except for access to radios.
[+] [-] haldean|13 years ago|reply
I don't buy his premise, either; he claims you need to interact with "6 different controls" to log in to Facebook, but (a) you only interact with 4 of them and (b) that's only the first time you log in from that computer. He's trying to solve a problem I have never experienced. I'm curious to see if others have felt overwhelmed by the number of controls on login forms; this is a problem I've never had.
[+] [-] jobu|13 years ago|reply
Definitely not something I would want for my bank account, but who cares for logging on to a support forum or some other trivial account.
[+] [-] w33ble|13 years ago|reply
[+] [-] andrewflnr|13 years ago|reply
[+] [-] zdw|13 years ago|reply
Also, using an email backchannel and one time keys moves the security from an encrypted connection (assuming SSL) to an unencrypted SMTP connection anyone can view...
Back in the good old days of UUCP you might wait a day or two to get mail from across the globe...
[+] [-] lgbr|13 years ago|reply
Mail transmitting is only sometimes encrypted, which is disappointing, but I've yet to hear of an instance where a user account was compromised when the forgotten password link was hijacked by listening to the wire between two mail servers. If it really is a problem, this could also be mitigated easily by only allowing the link to work on the browser that initiated the request.
Frankly, though, I'd love it if this system were implemented if for no other reason than to encourage mail servers to enable TLS on their SMTP backend.
[+] [-] masimpson|13 years ago|reply
Present the end-user with a certificate management dialog when they open a browser for the first time. That would allow them to either browse for an existing certificate or create a new one. After one is created they're given a copy which could be used in any other browser at a later time. From that point on, each time a Web server requires authentication it could be handled behind the scenes. No log on page, no passwords, no user names; only aliases and a push button start. Signing up would become a one click affair, as well. Press the button, and the browser sends the public key to the Web server. A site gets hacked? Big deal, there are no vulnerable hashes -- only public keys. You would never be required to remember anything more than backing up your certificate. Worried about recovery? Do what you would do with SSH. Pop the cert on a thumb drive and hide it. Hell, even create a feature in that management dialog to do it for you.
This of course would require a large standards body and the involvement of every major browser company. But in the end, it would be easier.
[+] [-] jsmcallister|13 years ago|reply
I do agree with his point that memorizing passwords can get cumbersome, especially with different sets of rules for different logins. However, the majority of people store their passwords in their everyday browser or just stay logged in indefinitely.
The real solution to "doing away with passwords" lies in recognition technology on devices. What if my keyboard could recognize my identity and pass that along to authorized sites as login credentials? What if my iPhone could do the same? I'll defer the argument of privacy in visiting sites where you don't want your identity revealed for another time.
[+] [-] bluesnowmonkey|13 years ago|reply
This idea doesn't speed up the login process, but it accomplishes a few other useful things. The server doesn't store passwords, so a breach of the server doesn't compromise other services for which users had duplicate passwords. And users can't compromise their own accounts by choosing weak passwords. Both scenarios are commonplace.
[+] [-] crcsmnky|13 years ago|reply
This could potentially introduce an increase in spam if users are now instructed to click on links in emails blindly as long as they match a site that they're familiar with.
Leaving one app/tab for another seems like bad UX to me. This doesn't seem any better than the OAuth dance, even if it uses a much more seemingly familiar mechanism.
[+] [-] Nav_Panel|13 years ago|reply
[+] [-] dazbradbury|13 years ago|reply
It offers password-less log-in, and also remembers your username/email client-side. The only issue is lack of support for facebook/twitter log in out of the box - but that is apparently in development.
It doesn't seem to be widely adopted, and that is possibly due to the reliance on Google servers it adds to your service. Whether that comes back to haunt us or not I don't know - but I have a backup system in place in case GITKit does stop working!
[1] - http://www.openrent.co.uk
[2] - https://developers.google.com/identity-toolkit/
[+] [-] richardburton|13 years ago|reply
[+] [-] sturadnidge|13 years ago|reply
Second, there is not a single mention of the biggest problem with passwords currently: the apparent inability of many sites to store them securely. I'll take this method of authentication over a password based one any day for probably 90% of the sites I have an account with currently. Especially sites like HN (not implying insecure password storage on HN - just saying for any forum based sites, it's more than adequate IMHO).
[+] [-] javajosh|13 years ago|reply
What sort of thing represents a secure, real-time channel to which only you have access? Note that, unlike email, we are not interested in queueing messages in this channel. My first thought runs to a public URL, a place where anyone can post anything, and it will appear on all your devices (possibly within the browser).
So basically as long as you maintain credentials to access that channel, sites have a good way to give you a one-use login URL.
In an ideal world, you're browser would have a password protected private key and knowledge of what your personal URL is. All sites requiring login would ask the browser for that URL, and the site would send a one-time login URL to the channel URL, and the browser would be smart enough to just follow the link.
Bam, login nirvana.
[+] [-] woah|13 years ago|reply
That being said, can it work "halfway"? It seems the main benefit of this approach (from a UX standpoint, disregarding security etc.) would be to simplify things for people who always use one device and forget and reset their passwords all the time anyway.
What one could do is to simply reverse the prominence of the "enter password" and "reset password" steps of your login flow.
Enter your email, and get a big fat "Get Login Link" button below the field. Next to it is a small link that says "use password"
[+] [-] carsongross|13 years ago|reply
https://login.persona.org/
[+] [-] agilebyte|13 years ago|reply
I suspect they will make a browser specific login workflow in which case you would not even need to be presented with a form asking you to auth as a user. Your browser would know your credentials already (which I guess is similar to login details autocomplete).
[+] [-] MatthewPhillips|13 years ago|reply
[1] http://staticloud.com/
[+] [-] renas|13 years ago|reply
http://news.ycombinator.com/item?id=4291856
[+] [-] swah|13 years ago|reply
So, if elegant for power users, and 'not easier' for mom-users, should we implement it?
[+] [-] fooooobar|13 years ago|reply
[deleted]
[+] [-] lorewarden|13 years ago|reply
Relying on something you have (mobile phone with a trusted app on a trusted network) instead of something you know (passwords) can be an interesting choice. Ideally you'd require both (something you know and something you have), but we want to avoid passwords.
[+] [-] sirwitti|13 years ago|reply
Anyway, I like the idea of questioning the current way of user authentication!
[+] [-] ajanuary|13 years ago|reply
[+] [-] mandeepj|13 years ago|reply
Express registration may work for well for those who have hard time coming up with strong passwords or don't want to think about a password while doing another new registration. We started this feature as an experiment and will evolve\refine it based upon the usage.
Once the user confirms their account if they selected "remember me" checkbox then we don't require them to login, we just check for authentication cookie.
I do not agree with the author regarding his vision for "password reset tool feature to send the link in the email". Sometimes users want to take control of their password and do not want to remembered for security reasons.
[+] [-] maxlemons|13 years ago|reply
Not only can you register and login with only and email, you can review and revoke your active sessions.
People who are complaining about the speed of email - the session could last indefinitely until you log out, which would reduce the number of times you had to perform the ceremony. Plus, think about the benefits of this when you need to authorize a TV, phone, etc. You can simply visit a link in your email instead of copying and pasting or typing in those form factors.
I'd also like to integrate SMS to support optional dual-factor authentication, which should get help fix the single point of trust problem.
[+] [-] mollstam|13 years ago|reply
Non-power users (11 yo kids) maybe don't always have their inbox open/session active.
Best case scenario with one e-mail entry for multiple devices stand in conflict with link only being usable once.
Don't get me wrong, I think passwords are horrible but this post was just made in too much of a hurry.
Interesting topic!
[+] [-] freshhawk|13 years ago|reply
Combined with a simple standard for credential exchange (get request to example.com/login to get the list of required fields, post to https://example.com/login to login. Or more likely, some existing standard that handles more cases and is already thought out) this whole annoying problem is no longer affecting every person who uses the web.
Is it too late for this? I feel that it probably would be very difficult to make this work now, it's too late and the browsers wouldn't go up against google and facebook who now want to own and track your identity.
That makes me sad, that kind of stagnation cuts off whole important areas of progress for web users.
[+] [-] superkarn|13 years ago|reply
https://login.persona.org/about
[+] [-] IceCreamYou|13 years ago|reply
[+] [-] Sami_Lehtinen|13 years ago|reply
[+] [-] stcredzero|13 years ago|reply
The hardware would only run signed Apple firmware and be separated from the CPU and most of the rest of the device, except for access to radios.
[+] [-] leviathan|13 years ago|reply
[+] [-] drivebyacct2|13 years ago|reply
I don't have to enter my second factor with credential or even my password when using Gmail from my phone, tablet, laptop or desktop.