Passwords are hard to memorize. It is no wonder password-less sign-in has gain much popularity among web and app developers. However, a lax implementation will leave your user’s private account data potentially exposed.
What is password-less sign-in?
A typical password-less sign-in flow works like this:
- User visits a website and enter their email address.
2. The site generates and sends a uniquely generated https URL with a uniquely generated authentication token parameter in the URL.
3. User opens the email and clicks on the URL.
4. User is logged in to the site.
For example, medium.com implements password-less sign-in.
Note the URL expires after a short time (15 minutes in this case) and can only be used once. One reason it is invalidated after fist use is that URLs (even with https) are recorded in web server logs when user clicks on it so it is no longer a secret. One reason for the short time expiration is that email transmission is not always secure, so the URL can be eavesdropped if the transmission between the two email providers was not encrypted. IMO, Medium.com did a good job balancing ease of login with user security.
Password-less sign-in implemented wrong
Recently I was hired by a company where the HR department uses Greenhouse.io’s recruiting and new hire onboarding software. The HR department requires all new hires to enter personal info (SSN, birthday, address etc) to Greenhouse prior of their first day of work. This eliminates manual effort to import new hire data into internal systems.
The week before my start date, I received a welcome email from no-reply@mail.onboarding.greenhouse.io titled “Welcome to the Team”. The email contains a link which I am supposed to follow to complete my personal profile. The link is a sendgrid.net link which redirects to greenhouse.io. When I clicked on the link, it showed all the private data I have entered previously at Greenhouse (SSN, birthday, address etc).
I tried that link on my friend’s computer, and viola, it shows all my private data. I also tested the same link a few days later and to my surprise the link kept working. Obviously, the link doesn’t seem to expire.
That is concerning. The password-less sign-in link maybe logged at multiple systems outside of greenhouse’s control:
- My email provider could be recording all the outbound links (e.g. for spam/phishing detection).
- The browser could send text entered in the URL field to search engines (for auto-complete, indexing etc).
- sendgrid and analytics/tracking used.
- The computer the user is using may be shared. The browser history saves the password-less URL which can be accessed by another user of the computer.
Anyone with access to the above will have access to my data. :(
Conclusion
Some best practices to follow when implementing password-less sign-in:
- Password-less sign-in token embedded in the URL must be invalidated upon first use.
- Password-less sign in link should expire after a short time (e.g. a few minutes).
Password-less email sign-in should not be used for any site storing sensitive data (e.g. financial data) simply because email is not secure. A motivated attacker could access the link before you. When security is high priority, password-based sign-in is still the only viable secure solution in town.
