> <i>Claim: If someone has access to email account, then they can login.</i><p>> <i>Rebuttal: This is possible in a password-ful login setup via the forgot password flow. Sometimes there are additional “security questions” but this is typically easily found information.</i><p>The difference here is that if/when someone uses their (unauthorized) access to my e-mail account to reset the password for this service, I will notice the next time I attempt to log in.<p>In an ideal world, one could <i>prevent</i> another from gaining access to an account, service, etc. When you can't prevent something, the next best thing is <i>detection</i>. Here, you've just removed the ability for a user to detect that their account is compromised -- and worse, you're trying to spin it like it's a good thing.<p>Also, greylisting.<p>Also, what if I wanted to log in to my account from my phone or a mobile device? I choose not to receive e-mail on my phone (only alerts/notifications) and I'm certainly not the only one.<p>It sounds like someone pitched this idea at a meeting ("Hey, I know! No passwords!") and the next 10 minutes was spent rationalizing all its problems away before declaring it as the one true solution.
Con: Greylisting.<p>My primary email uses greylisting to combat spam. This means that if we receive a mail from an unfamiliar mail server, it's getting an error message saying the mail can not be delivered at the moment, and to come back later. Properly configured servers try again several minutes later. Spam bots seldom try again, so it works well.<p>I can see how greylisting and tokens that expire quickly can be a problem. Particularly if you have multiple servers for outgoing mails, so that the second mail attempt may come from another IP than the first.
> You can't leak passwords if you don't store passwords.<p>That's exactly why you only store password hashes in the DB. Come on, this is a solved problem!<p>> Pro: less implementation effort<p>Sure. But how much of your app's total dev effort is it? Nothing.<p>I hate the UX of having to log in by email.
This implementation is just skipping the charade that passwords are where the security happens.<p>With almost all current systems the place security really needs to happen is at the email provider. If you can hijack/intercept a users email or hack their account then it's game over with a password anyway, thanks to password resets being (almost) universally done over that channel.<p>There's an argument that this is no bad thing as security focused email providers could potentially provide very secure access as part of their core business (unlike a startup just trying to get going).<p>But there's still something bugging me about this implementation I can't put my finger on.
I built (essentially) this a few weeks back, for an iOS app. Currently trying to get Apple's App Review team to agree it's a good idea.<p>Apple has UI in App Store submission that lets you provide App Review with a demo account username/password combo, but only that.<p>So to highlight another drawback: sometimes being able to share login credentials is a feature. Part of me thinks this ought not to be the case, and I hope I will be able to stick with password-less login.
Is it really necessary that the email link is clicked on the same device or to use a typeable token? Clicking the link on any device is enough to confirm to the server that the login attempt should be granted access. The server can then send and authentication token to the browser where the user is logging in.<p>The downsides I can think of in that case are an attacker attempting to log in at the same time, or -- more generally -- a user thoughtlessly clicking the link when an attacker is trying to log in.<p>The first problem can be addressed by displaying a second readable token on the login screen which the user should verify is present in the email before they click the link. That is how banks and other high security systems do it here in Norway now when you select authentication via mobile, except they use some sort of mobile communication tied to the sim card instead of email. You get a popup on your phone containing two random words from a dictionary. You confirm that the words match what the browser is currently displaying and then tap "OK".<p>The second problem can probably be reduced by short token timeouts and using appropriate language in the email to emphasize the implication of clicking the link uncritically.
cons: If the customers email service goes down, then their access goes down.
If your email service goes down, then the service goes down for everyone.
If a major email provider is compromised, then a bunch of your accounts can be compromised.
All public server-to-server email communication takes place over port 25, unsecurred clear text. That seems like a poor choice for anything security related in 2017.<p>If anything we should be removing insecure protocols like email, telephone and SMS from the authentication chain rather than relying on them even more heavily than we already do.<p>I hate to suggest it but authentication via something like WhatsApp might be more secure.
An interesting idea for a few reasons.<p>Users don't have to remember passwords, which is a strong benefit, but the user's security is now dependent on the security of their mail provider, or their own security practices in relation to the use of that mail provider, and in all likeliness their smart device.<p>With the ubiquity of smart devices, this works from a UX point of view and could be really streamlined, but I wonder how much the meme at the top of the article is actually betraying - this is the service provider not wanting to be responsible for your security in relation to their service.<p>I'm not suggesting that this is unreasonable per se, but the ultimate evolution of this model looks like it could (potentially dangerously) increase the value of a smaller surface area (the smart device) and put a fairly huge onus on the end user understanding and being responsible for their security.<p>And whilst that seems ostensibly ok, we already <i>know</i> that the weakest link in security is the end user...so this could be putting all your eggs in one basket.
Password-less login is a bit of a weird naming. I'd call it one-time passwords. And then I'd maybe not use email, since this clutters the inbox. Instead something like Google Authenticator or SMS passwords would be a good solution, the latter maybe being a bit expensive for the service provider.
You can easily leak whether someone has an account on your website -- if I know their email address and input it, does it basically tell me? This limits your ability to reasonably error if the email address inputted is wrong.<p>Still, a lot of "forgot password" forms seem to be subject to this, too.<p>Also, you can only have one account per-email -- a disadvantage for some types of service, but admittedly probably a good thing for most.
Loosely related. Why doesn't my web browser speak IMAP? If I could just enter my IMAP details into my browser settings, then it could silently IDLE on my Inbox, and inform my currently open <a href="http://example.com/" rel="nofollow">http://example.com/</a> tabs when it receives email from an @example.com address.<p>You'd need to stick it behind a "This website wishes to be notified about email you receive from it" prompt.<p>But then you'd be able to do all sorts of clever stuff, including streamlining email validation checks and password resets.<p>Everybody has email. You could create a "Login with Email" function really easily on your website, and it would work for even more users than the "Login with Facebook" option.
>Claim: With this setup, I can’t login easily with my LastPass, 1Password, etc browser extension.
>Rebuttal: This is a legitimate claim but it’s equally plausible to use an email integrated browser extension.<p>You could do that, but since this isn't a very common login scheme, these might not exist/be popular yet. Also, some of us use password managers that aren't browser integrated, and that further reduces the chance of me having a decent workflow for logging in to the site.
I'm glad to see this idea gaining traction. Passwords are a lazy solution that is often not needed. This type of login is ideal for websites and services that I might use less than 4 times a year.<p>I usually log into such services by doing a password reset every time I visit their service, and this technique at least removes the risk of password leaking.
For WordPress:<p><a href="https://wordpress.org/plugins/passwordless-login/" rel="nofollow">https://wordpress.org/plugins/passwordless-login/</a>
>Con: If database is compromised and passwords are reused across sites, then attackers might be able to access more sites<p>Never heard of hashing or TLS/SRP?