Why would I want to go through the hassle of requesting a new non-password to be sent to my email, wait to receive my non-password, and then log in using that non-password every single time I want to log in? I will happily let my web-browser remember my password, or store it in a password manager if it needs to be secured.
Plenty, both in terms of security and UX:<p>1.) It's less secure (unless the email is encrypted, which in most cases it is not).<p>2.) If you use GMail with several accounts and POP3 you'll have to wait until GMail sees fit to fetch the email.<p>3.) Password managers provide both a superior UX and superior security. So, by all means at least provide a password-based login as an alternative (which admittedly defeats the purpose for the operator to have a less complex authentication system to worry about).
As a consumer of services, it's not more convenient for me than clicking the Lastpass (or your password manager of choice) icon and filling in the login form.<p>Plus, I imagine some people may have multiple email accounts, and would have to hunt through them to figure out which one they used to sign up with.<p>(Similar to my problem with StackOverflow; I can <i>never</i> remember which identity provider I used to sign up with them, and end up just clicking on all of them in order until one lets me in. For all I know, I might have multiple accounts.)
That's just the "forgot password" system, minus the convenient option of entering a password instead of waiting... and waiting... and waiting... and checking your spam folder... and waiting some more... for the email with the auth code to arrive. Not actually an advantage, in my eyes.
While passwords are still my preferred method, I was trying to think about ways to incorporate a passwordless system.<p>I like the method that Slack has.. while they offer the old method of logging in with a password, their other method is to send your email a link and then once that link is clicked, they set a cookie indefinitely.<p>The other way is once a user registers for an account, they get an email to login, but before they can login, they have to enter in their phone number, so then from then on out, every time they enter in their email, they will get sent a text message and simply have to enter in a code.<p>It is still not technically passwordless, but it certainly is a unique method to have people login.<p>No matter how far we come though, the username and password seem to still be our best method of knowing WHO YOU ARE and verifying the account belongs to you.
I think OAuth logins are a nice compromise. "Login with Google / Facebook / ..." with one click works well!<p>Unfortunately, some sites use it to just get your email address, and <i>still</i> require you to make a password for them, which defeats the purpose and decreases user trust in the benefits of going through the flow.
> Type your email -- receive the code -- fill in the code<p>Many services actually do support this. It's under "Forgot Password..." link when signing in ;-)
Email deliverabilty is not necessarily 100%. Also there can be latencies here and there that can lead to user frustration (for example greylist strategies).<p>One alternative for password-less is to use Google Authenticator code as the password (i.e. send the QR code once by email and from then on use the Google Authenticator code), but I'm not sure if the the low entropy (1/1000000th chance of guessing the right password) would be enough for brute force attacks.
Consider the three most common authentication factors:<p>* Something you know<p>* Something you have<p>* Something you are<p>A conventional password-based login implements "something you know" (i.e. your password). A password-less login implements "something you have" (e.g. email access). That doesn't make it more secure, it's just substituting one authentication factor for another. One could argue that it's more convenient but that's subjective since people that use password lockers might actually find it less convenient.<p>An argument against password-less logins might be that they should be implementing multi-factor authentication in the first place. Password-less login is by nature not at least two-factor authentication. Even if you have two-factor authentication enabled for your email, it will still just be "something you have" because someone that gains access to your PC or phone will probably have access to your email as well. The easiest second factor to add into the mix is "something you know" (e.g. a password) and now you're back to conventional two-factor authentication practices.
It is a cultural problem. I think the "younger" users don't use e-mail as much as they do other forms of "Internet" e.g. Facebook for authentication. Otherwise, I'm loathe to give out my e-mail address because of spamming and data-collection.
Greylisting[0] would still be a problem. Signup is exactly the situation where this would be both most likely and most inconvenient.<p>[0] <a href="https://en.wikipedia.org/wiki/Greylisting" rel="nofollow">https://en.wikipedia.org/wiki/Greylisting</a>
I would think, because that's a nightmare versus both social login and my browser remembering both username and password..?<p>That's way too many steps, and takes too long since many times email takes a while to get fetched—specially on mobile.
The main issue with passwords is that non-technical users tend to reuse the same password, which is a serious security risk. This is, in my opinion, the best reason to use a passwordless login. A better solution would be, when the user create his/her account or reset his/her password, to generate a random password, instead of letting the user choose a password. I'm curious about this approach. As anyone tried something similar?
I don't like those "login with Google / Facebook / etc", nor that "Type your email -- receive the code -- fill in the code". OpenID would be better I think. You can design it to use something other than a password for authentication if you want to; it mean the authentication system can be independent from whatever you log in to.
It's exchanging one authentication factor (something you know) with another (something you have), while negatively impacting UX (by adding email UX issues) and not adding meaningful security.