So this is essentially delegating authentication to the user's Email service. Delegating authentication seems like a good idea: fewer passwords to forget and more conveniene. So why not delegate to a proper authentication service like OpenID?<p>(Seriously, that's a question: Why don't more people use OpenID? Is there something wrong with it?)<p><a href="http://openid.net/get-an-openid/what-is-openid/" rel="nofollow">http://openid.net/get-an-openid/what-is-openid/</a>
It seems taking users out of your app / off your website to sign up or purchase something would be detrimental to conversion rates.<p>(I don't know about you, but I can't think of anything more distracting than my email inbox.)<p>I know it's not popular on HN, but we already have a simple method that removes passwords: OAuth.
Although they say it is a "one time password" which is smart, email is still assumed to be not secure. Like for example, you wouldn't want to send your SSN through email because servers along the way can possibly sniff it. So, while it seems safe in most situations to do this, I feel that it probably isn't 100% safe but maybe good enough for most people.<p>What is the risk though? If someone did steal your one time link and get into the app could you somehow prevent them from continuing to access it? And what could they do in the app -- change your address and buy stuff on your credit card and send it to themselves? Feels like there is just some tiny level of risk here that probably wouldn't happen... but I wouldn't feel completely safe with this.
A friend of mine has been very passionate about the idea of getting rid of passwords and built a proof of concept version of this a few months ago [0]. He also gave a very good talk about it at a JavaScript meet up [1].<p>[0] <a href="https://github.com/handshakejs" rel="nofollow">https://github.com/handshakejs</a>
[1] <a href="http://vimeo.com/90883185" rel="nofollow">http://vimeo.com/90883185</a>
I've always thought waiting for a damn registration email was the worst part of the typical sign-up process. Not sure this saves much user frustration.<p>Drop the email field altogether and you might have something refreshing.
I think this is a positive move. My gmail for instance is one of the better-protected services I use: I have a ludicrous password and 2FA. The reset options only include dialling my mobile (not voicemail) or emailing another account (which isn't otherwise associated with me to anyone who knows me), which is also protected by a strong password.<p>Why not allow Apps to not use passwords in this case?<p>In addition (for me) the app would be on my mobile, which is passcode protected (and fingerprint)<i>. Beyond that security you have full access to my email anyway, so what's any additional app password going to provide?<p></i>since you need the device (which you're presumably steeling) AND the passcode for it, does this make it 2FA? I think I've read Apple claim as much in a Data Protection document, but I wonder whether you can really count the device you're trying to log in TO as one of the Factors?
I have a question. Why not SMS? Is it because sending an SMS globally is more of a hassle then sending email? Or that with email we assume the entire channel has some protection layer to it, where as in SMS the security is due to the fact that we're using an entirely different channel? Simply intercepting an SMS (if you actually manage to do that) won't be enough as you would also need the username. In the email approach, don't most places use your email as a username??<p>I am just talking generally, not specific to this app
I don't know who started this, but I've noticed recently after installing Slack app on Android that they went the same way. I found it very convenient. After all anyone can reset my password using email so why bother creating it all? Just send me the auth token as link in email. The app registers itself to open on such link and it works nicely.
I like the idea. It's essentially SFA, Single Factor Authentication, opposed to MFA, but chose the "what you have" aka an email factor rather than "what you know" aka a password.<p>From a compliance standpoint (ignoring security feature), would this be allowed?<p>From a security standpoint, not sure this is any better/worse than social login or receiving an SMS. Most of the time you have all these portals (including email) already authenticated so it doesn't really make a difference which you use. The nicety is that you can basically track your logins through email which is pretty neat.<p>From a usability standpoint, I feel like an SMS would make more sense? I turn off push notifications for email because I receive too many, but I'd be able to read the number from the text and type it in right away (assuming that you'd use standard MFA tokens). Maybe the difference is more between using a 6-digit PIN instead of a link than the source it's received.
I was going to post this comment on their page:<p>"Why do you need people's name and email? The above screenshot looks like an APP. You already have a way to reach them: in-app notifications. And why do you need their name until they purchase something?"<p>But ironically, the resulting page said "Please enter correct password. Spam free wordpress." LOL
This is interesting and somewhat confronting to me. Can we just get rid of passwords that simple?<p>Do we end up with a system that's of equal or higher safety?<p>Agreed that convenience is definitely up, since we have email clients built into everything.
Heh. Fork the Cookbook does this - with a 1 hour auto log out. It didn't go too well with our users.<p>What I learned from FtC is that people are so ingrained with the idea of passwords that single factor auth doesn't really fly.
To me, this just seems a little silly. I can't imagine how difficult it will be to maintain a persistent, user-friendly account with this method. An emailed link every time a user wants to log in? Just plain silly.<p>Passwords are still widely used, and for good reason. I partially accept your point of passwords not being very secure, but why not just spend some time implementing a 2FA login method, instead of this?
I wrote a similar blog post a while ago advocating this approach. It was inspired by MixPanel sending me a login link alongside a forgot password link - <a href="http://dangoldin.com/2014/05/20/logging-in-through-your-inbox/" rel="nofollow">http://dangoldin.com/2014/05/20/logging-in-through-your-inbo...</a>
Well, bye bye users.
Greylisting is so common these days - emails don't arrive straight way. Who wants to wait 5 minutes (assuming your mailserver tries that often on a greylist) to login to an app?<p>Appreciate what they're trying to do, but I think this is a bad idea.<p>edit: As tootie points out, it would be possible to use a "whitelisted" company.
I havent followed too closely the state of secure email delivery, but I would guess that even today a huge percentage of people both send and receive email in clear text over easily intercepted links.<p>this option only makes sense if email delivery can be guaranteed to be secure, and the recipient has non-password-based (two factor) auth.
Unless I'm misunderstanding something, if someone has access to my email they can just login right?<p>That doesn't sound very safe. Does this use some form of OTP that's passed via a special URL that only works with the mobile app? If so that sounds better than what I'm thinking.
I agree that on a mobile device you should only have to log in once and be remembered forever (if someone compromises your phone, you have bigger issues), but I think that requiring a password (or OAuth, etc) on a non-mobile experience is a pretty good idea.
Couldn't a secret URL with unique id be generated the first time you use a website that requires login (bookmarks would preserve passwords)? I guess you could make it long enough to prevent over-the-shoulder attacks and of course you would need HTTPS.
Shameless plug - I wrote a Rails engine for this type of authentication mechanism called NoPassword - see <a href="https://github.com/alsmola/nopassword" rel="nofollow">https://github.com/alsmola/nopassword</a>
Wouldnt the unique identifier or Auth token be the password? Sure it is more convenient for the User not having to remember there password, but it is not necessarily more secure.
Good to see a concept (<a href="https://medium.com/cyber-security/9ed56d483eb" rel="nofollow">https://medium.com/cyber-security/9ed56d483eb</a>) at work.