Bye Bye Passwords

67 点作者 tylerg将近 11 年前

26 条评论

bjackman将近 11 年前

So this is essentially delegating authentication to the user's Email service. Delegating authentication seems like a good idea: fewer passwords to forget and more conveniene. So why not delegate to a proper authentication service like OpenID?(Seriously, that's a question: Why don't more people use OpenID? Is there something wrong with it?)<a href="http://openid.net/get-an-openid/what-is-openid/" rel="nofollow">http://openid.net/get-an-openid/what-is-openid/</a>

评论 #7818783 未加载

评论 #7818784 未加载

评论 #7818955 未加载

评论 #7819707 未加载

评论 #7819046 未加载

nostromo将近 11 年前

It seems taking users out of your app / off your website to sign up or purchase something would be detrimental to conversion rates.(I don't know about you, but I can't think of anything more distracting than my email inbox.)I know it's not popular on HN, but we already have a simple method that removes passwords: OAuth.

评论 #7819731 未加载

评论 #7819380 未加载

benferris将近 11 年前

Although they say it is a "one time password" which is smart, email is still assumed to be not secure. Like for example, you wouldn't want to send your SSN through email because servers along the way can possibly sniff it. So, while it seems safe in most situations to do this, I feel that it probably isn't 100% safe but maybe good enough for most people.What is the risk though? If someone did steal your one time link and get into the app could you somehow prevent them from continuing to access it? And what could they do in the app -- change your address and buy stuff on your credit card and send it to themselves? Feels like there is just some tiny level of risk here that probably wouldn't happen... but I wouldn't feel completely safe with this.

评论 #7819429 未加载

eddiezane将近 11 年前

A friend of mine has been very passionate about the idea of getting rid of passwords and built a proof of concept version of this a few months ago [0]. He also gave a very good talk about it at a JavaScript meet up [1].[0] <a href="https://github.com/handshakejs" rel="nofollow">https://github.com/handshakejs</a> [1] <a href="http://vimeo.com/90883185" rel="nofollow">http://vimeo.com/90883185</a>

评论 #7819064 未加载

jd007将近 11 年前

They talk about Heartbleed and other attacks, but fail to mention the security of emails, especially during transit?

评论 #7820128 未加载

nly将近 11 年前

I've always thought waiting for a damn registration email was the worst part of the typical sign-up process. Not sure this saves much user frustration.Drop the email field altogether and you might have something refreshing.

评论 #7820074 未加载

herghost将近 11 年前

I think this is a positive move. My gmail for instance is one of the better-protected services I use: I have a ludicrous password and 2FA. The reset options only include dialling my mobile (not voicemail) or emailing another account (which isn't otherwise associated with me to anyone who knows me), which is also protected by a strong password.Why not allow Apps to not use passwords in this case?In addition (for me) the app would be on my mobile, which is passcode protected (and fingerprint). Beyond that security you have full access to my email anyway, so what's any additional app password going to provide?since you need the device (which you're presumably steeling) AND the passcode for it, does this make it 2FA? I think I've read Apple claim as much in a Data Protection document, but I wonder whether you can really count the device you're trying to log in TO as one of the Factors?

xerophtye将近 11 年前

I have a question. Why not SMS? Is it because sending an SMS globally is more of a hassle then sending email? Or that with email we assume the entire channel has some protection layer to it, where as in SMS the security is due to the fact that we're using an entirely different channel? Simply intercepting an SMS (if you actually manage to do that) won't be enough as you would also need the username. In the email approach, don't most places use your email as a username??I am just talking generally, not specific to this app

calineczka将近 11 年前

I don't know who started this, but I've noticed recently after installing Slack app on Android that they went the same way. I found it very convenient. After all anyone can reset my password using email so why bother creating it all? Just send me the auth token as link in email. The app registers itself to open on such link and it works nicely.

thrush将近 11 年前

I like the idea. It's essentially SFA, Single Factor Authentication, opposed to MFA, but chose the "what you have" aka an email factor rather than "what you know" aka a password.From a compliance standpoint (ignoring security feature), would this be allowed?From a security standpoint, not sure this is any better/worse than social login or receiving an SMS. Most of the time you have all these portals (including email) already authenticated so it doesn't really make a difference which you use. The nicety is that you can basically track your logins through email which is pretty neat.From a usability standpoint, I feel like an SMS would make more sense? I turn off push notifications for email because I receive too many, but I'd be able to read the number from the text and type it in right away (assuming that you'd use standard MFA tokens). Maybe the difference is more between using a 6-digit PIN instead of a link than the source it's received.

EGreg将近 11 年前

I was going to post this comment on their page:"Why do you need people's name and email? The above screenshot looks like an APP. You already have a way to reach them: in-app notifications. And why do you need their name until they purchase something?"But ironically, the resulting page said "Please enter correct password. Spam free wordpress." LOL

评论 #7818751 未加载

评论 #7818752 未加载

keyle将近 11 年前

This is interesting and somewhat confronting to me. Can we just get rid of passwords that simple?Do we end up with a system that's of equal or higher safety?Agreed that convenience is definitely up, since we have email clients built into everything.

评论 #7818875 未加载

评论 #7819204 未加载

chewxy将近 11 年前

Heh. Fork the Cookbook does this - with a 1 hour auto log out. It didn't go too well with our users.What I learned from FtC is that people are so ingrained with the idea of passwords that single factor auth doesn't really fly.

jlt将近 11 年前

To me, this just seems a little silly. I can't imagine how difficult it will be to maintain a persistent, user-friendly account with this method. An emailed link every time a user wants to log in? Just plain silly.Passwords are still widely used, and for good reason. I partially accept your point of passwords not being very secure, but why not just spend some time implementing a 2FA login method, instead of this?

dangoldin将近 11 年前

I wrote a similar blog post a while ago advocating this approach. It was inspired by MixPanel sending me a login link alongside a forgot password link - <a href="http://dangoldin.com/2014/05/20/logging-in-through-your-inbox/" rel="nofollow">http://dangoldin.com/2014/05/20/logging-in-through-your-inbo...</a>

muppetman将近 11 年前

Well, bye bye users. Greylisting is so common these days - emails don't arrive straight way. Who wants to wait 5 minutes (assuming your mailserver tries that often on a greylist) to login to an app?Appreciate what they're trying to do, but I think this is a bad idea.edit: As tootie points out, it would be possible to use a "whitelisted" company.

评论 #7820121 未加载

delackner将近 11 年前

I havent followed too closely the state of secure email delivery, but I would guess that even today a huge percentage of people both send and receive email in clear text over easily intercepted links.this option only makes sense if email delivery can be guaranteed to be secure, and the recipient has non-password-based (two factor) auth.

评论 #7819629 未加载

calebio将近 11 年前

Unless I'm misunderstanding something, if someone has access to my email they can just login right?That doesn't sound very safe. Does this use some form of OTP that's passed via a special URL that only works with the mobile app? If so that sounds better than what I'm thinking.

评论 #7818708 未加载

评论 #7818799 未加载

评论 #7818793 未加载

评论 #7818810 未加载

评论 #7818750 未加载

ultimatedelman将近 11 年前

I agree that on a mobile device you should only have to log in once and be remembered forever (if someone compromises your phone, you have bigger issues), but I think that requiring a password (or OAuth, etc) on a non-mobile experience is a pretty good idea.

Istof将近 11 年前

Couldn't a secret URL with unique id be generated the first time you use a website that requires login (bookmarks would preserve passwords)? I guess you could make it long enough to prevent over-the-shoulder attacks and of course you would need HTTPS.

alexsmolen将近 11 年前

Shameless plug - I wrote a Rails engine for this type of authentication mechanism called NoPassword - see <a href="https://github.com/alsmola/nopassword" rel="nofollow">https://github.com/alsmola/nopassword</a>

cevaris将近 11 年前

Wouldnt the unique identifier or Auth token be the password? Sure it is more convenient for the User not having to remember there password, but it is not necessarily more secure.

评论 #7819870 未加载

nell将近 11 年前

Good to see a concept (<a href="https://medium.com/cyber-security/9ed56d483eb" rel="nofollow">https://medium.com/cyber-security/9ed56d483eb</a>) at work.

Raphael将近 11 年前

Remind me again how sending a credential in plain text by email is secure.

mathattack将近 11 年前

I think passwords should be gotten rid of. Could this be pulled off on a website rather than a phone? My sense is that it would be too dangerous.

lhgaghl将近 11 年前

"bye bye passwords, hello blocking IP addresses from viewing our blog"?