Identify with email
No need for passwords
There have been many proposed solutions to the problem of keeping passwords, from physical lists, via password manager apps, by way of OpenID and OAuth to using Facebook or Twitter for all logins.
But they all have their issues. They are hard to use. Passwords get out of sync between devices. Sites leak password. Apps crash. And believe it or not, some people do not use, like, or trust Facebook or Twitter.
There has to be an easier way. And there is:
- Visit a site.
- Enter your email address, press ‘Log In’.
- Visit your email client.
- Click the link in the email you just received.
- You’re logged in.
Deceptively simple. In step 2. your browser gets a cookie set. In step 4. the server verifies this short-lived cookie.
That’s all there is to it. You basically delegate to your email provider to act as a identity provider. An added bonus is that you have a complete trail when you logged in and where. You can extend this to having an explicit ‘Log Out’ also send an email.
Apart from trusting a single email provider I cannot see any direct problem with this idea. It would tremendously simplify for services. They now need not implement any cryptography.
With multiple email addresses, you can decide which email address you use for which service, and spread risk between multiple email providers, should that be a concern.