History of Email-Only Auth

A new-ish idea since 2012

Intertwined problems: security and usability.

Passwords are inherently a point of fragility. They are a natural target to attack. Only strong passwords resist attack. Most passwords are weak.

Usability problems lead to weak passwords. The string of characters that goes into a password is intentionally hostile. It is like bristling razor wire or war paint. But with passwords, unlike physical defenses, the grimace faces back on its wearer as well as forward to the would-be attacker. The more difficult a password is to attack, the more difficult it is to wield.

Attack is uncertain. It may never come. If it comes, even a weak password may be good enough — how can the bearer really know until they have a problem? If the attack is successful, it may not cause discomfort for the victim. If it causes discomfort, the victim can deal with it then. A strong password is YAGNI: You Aren’t Gonna Need It.

Better to wait, because prevention causes immediate pain on every sign-in and every account creation. Remembering a unique secure password is not possible. Looking them up on paper or in a file is a burden. Why bother, if an account holder can easily alleviate the burden by entering an insecure password?

It‘s a cycle: users solve usability problems by sacrificing security, and developers solve security problems by sacrificing usability. Passwordless systems break the cycle.

Login & Passwords (Luke Wroblewski, January 30, 2012):

Despite being nearly ubiquitous online, username and password login screens are wrought with usability and security issues. The average person has between 7 and 25 accounts that they log into every day. People report authenticating about 15 times in a typical work day on average. 86% of U.S. companies use password authentication. 70% of people do not use a unique password for each Web site.

Is it time for password-less login? (Ben Brown, Jul 25, 2012):

No more secrets. I think an even better solution would be to remove the password completely, allowing users to login with only an email address. Each time a user needs to login, they enter their email address and receive a login link via email.

Anecdotal evidence of production implementation (LaunchRock, per Ben Brown, Jul 29, 2012):

I saw an implementation of a similar login system already in practice at LaunchRock.com. To create an account and get started, all you need to do is enter an email address. Once you do, you’re logged in and ready to go. You’re only required to set a password — via a password reset tool — if you somehow get logged out.

(When I tried out the LaunchRock account creation page today, May 13, 2014, password was a required field).

github.com/alsmola/nopassword (Alex Smolen, June 30, 2013):

NoPassword is a simple authentication and session engine that removes the need for passwords. Instead, it uses tokens sent to an email address, similar to most forgot password functionality. These tokens created long-lived sessions that can be tracked and revoked easily.

Passwordless Products (Andrew Benton, January 28, 2014):

if password reuse is valuable to attackers, but getting people to stop is difficult and adoption of password tools is slow, perhaps there is an alternative solution staring us straight in the face. Do away with passwords. Maybe we don’t need them. Instead of letting users choose passwords, we could authenticate users by giving them short-lived one-time-use tokens delivered over a secure channel that they control.

Let’s Boycott Passwords (Justin Balthrop, January 29, 2014):

For most websites, the only time you even need to know your password is when you log in for the first time on a new device. So what do you do in that case? That’s what the “Forgot your password?” link is for. You’re not even lying, you did forget your password, on purpose. Clicking this link sends you an email with a temporary URL that lets you reset your password; enter a new random string for this password, and remember it only long enough to log in on the new device. Using this strategy, there is only one password you actually need to remember: your email password.

Passwords Are Obsolete (Justin Balthrop, April 12, 2014):

Passwords are obsolete because of email and SMS. Specifically, the ability to send an email or SMS to users reliably and quickly. In theory, we’ve had that ability for a long time. And with the rise of services like Twilio for SMS and Mandrill for emails, it’s incredibly easy.

What did I miss? I’m happy to add items — just post a comment here.

Show your support

Clapping shows how much you appreciated Lucas Gonze’s story.