1. enter e-mail address<p>2. go to e-mail<p>3. refresh<p>4. refresh<p>5. count to ten... refresh again<p>6. maybe it's in my spam folder?.. no...<p>7. final refresh<p>8. give up in disgust<p><i>minutes pass</i><p>9. e-mail finally arrives in inbox; delete it<p>----<p>I effectively use this method to log in to Amazon (I have a habit of always changing my Amazon password to something so secure I can't remember it for more than a minute at a time), and it makes me less likely to log in (I want to add this book to my wishlist, but I have to log in first? Maybe I won't bother then).<p>To be fair Amazon password reset e-mails are <i>usually</i> in my inbox by the time I switch to my e-mail, but some sites are slower.
Its a clever idea but I would think it would be frustratingly slow to login via email. I wouldn't be surprised if it took 20 seconds or more to complete the entire transaction -- that is a long time for a relatively simple operation.
Add in an "auth-request" header onto the email, have a plugin for your mail client that looks for the header - and if found hides the mail and does the auth in the background for you - and you then have seamless integration (thanks to <a href="http://news.ycombinator.com/user?id=wlll" rel="nofollow">http://news.ycombinator.com/user?id=wlll</a>)
One of my clients has so many web-based requests that he asked me to build a better system, and this system is basically what I came up with.<p>A visitor wants to use one of our request forms so he enters his email address and clicks Submit. The next page says "Check your inbox, spam and junk mail boxes for the email we just sent you, then click the link to complete our request form."<p>Nearly all of them click the link. SPAM and bogus requests have dropped to zero.<p>Once in a while we get a complaint stating that they never received the confirmation email, but we know they were all sent because we BCC copies to a special gmail account for archival purposes.<p>The client is happy.<p>No, this is not a login system but I'm going to implement it on my new website as a login system because it is MUCH simpler than dealing with passwords ... and there is far less resistance to this system than some of you seem to be complaining about.<p>The fact is, people really dislike dealing with passwords and this system gets rid of them.
... and some call it insecure. If you don't take care of Man-in-the-middle attacks, which is one of the most basic attacks, you simply are not secure on the internet (where things like XSS and cross site forgery are for more common, and can render the most complicated authentication mechanisms useless). But for starting thigns up, it can be just fine.
RedHat's Mugshot did this in 2007. I really liked it.
<a href="http://bits.quintanasegui.com/2007/04/05/login-without-a-password/" rel="nofollow">http://bits.quintanasegui.com/2007/04/05/login-without-a-pas...</a>
I make this at my website [ <a href="http://www.tanlup.com/users/login" rel="nofollow">http://www.tanlup.com/users/login</a> ], but you have a password as well. In general, people will use this method if they can't remember their password. I already thought about making this the default sing on method to a website (it works great for e-commerce sites without user registration), but e-mail issues (delays, spam) and the fact that not everyone lives on their inbos (like me) changed my mind.
There's a shipped project that ties this in to OpenID. <a href="http://emailtoid.net" rel="nofollow">http://emailtoid.net</a><p>Some of the OpenID crowd were aware of it at the time, but it hasn't really caught on. It's kinda fun to use it as an OpenID provider to log in to itself. Very meta and clean.
If I'm on a work computer I can't access my email.<p>If I'm on an untrusted (potentially keylogging) computer, I don't want to type my email password - but I may not care about the security of my Pandora password.<p>I think the process is defaulting every site to the same trust level as your email.
This would frustrate me no-end. I'm not always at my own computer, and I change my password regularly to one to complex to remember. I don't always want to use my phone browser to login to sites I need access to.
I had the exact same idea the other day. Good summary. Obviously not the best solution for all sites, but I think smaller sites might benefit from this. I'd love to see a basic plugin/library built around this.
I hate the fact that I have to "validate" my email address with a lot of web app services when you first sign up.Imagine doing that every time you want to log on.<p>Definitely adds more resistance to the flow.