from Hacker News

A bold but simple login system

by fufulabs on 7/29/12, 11:46 AM with 97 comments

• by haldean on 7/29/12, 1:17 PM

  This would drive me up the wall. I don't want to have to sit in my mail client, waiting for it to pull down the message that may-or-may-not have arrived at my mail host yet, when it's incredibly easy to use a password manager for everything without having to leave my browser. He bemoans the number of controls you need to interact with to log in, but to get to log in with his method, I need to put in my email address (or take the time to find it in the list), interact with whatever control submits the form, switch to my email client (at least 1 control, probably more), refresh it to get the most recent messages (perhaps more than once), open the message, click the link, go back and close the window I used to start the login process in the first place, then switch back to the window with the app in it. Seems far more complex.

  I don't buy his premise, either; he claims you need to interact with "6 different controls" to log in to Facebook, but (a) you only interact with 4 of them and (b) that's only the first time you log in from that computer. He's trying to solve a problem I have never experienced. I'm curious to see if others have felt overwhelmed by the number of controls on login forms; this is a problem I've never had.

• by zdw on 7/29/12, 2:03 PM

  Someone needs a history of internet mail. It was never designed to operate in real time or be fast, whereas people expect logins to be fairly quick.

  Also, using an email backchannel and one time keys moves the security from an encrypted connection (assuming SSL) to an unencrypted SMTP connection anyone can view...

  Back in the good old days of UUCP you might wait a day or two to get mail from across the globe...

• by masimpson on 7/29/12, 2:22 PM

  The logic behind this system isn't terrible. But as others have pointed out, it still relies solely on a third party. And while it's true that exposing the entire user list would not give an attacker much in the way gaining access, it's still a leak of trackable information. I think a more secure solution would be to model an authentication standard after public/private key encryption. If all browsers would endorse it, the interface would be remarkably simple.

  Present the end-user with a certificate management dialog when they open a browser for the first time. That would allow them to either browse for an existing certificate or create a new one. After one is created they're given a copy which could be used in any other browser at a later time. From that point on, each time a Web server requires authentication it could be handled behind the scenes. No log on page, no passwords, no user names; only aliases and a push button start. Signing up would become a one click affair, as well. Press the button, and the browser sends the public key to the Web server. A site gets hacked? Big deal, there are no vulnerable hashes -- only public keys. You would never be required to remember anything more than backing up your certificate. Worried about recovery? Do what you would do with SSH. Pop the cert on a thumb drive and hide it. Hell, even create a feature in that management dialog to do it for you.

  This of course would require a large standards body and the involvement of every major browser company. But in the end, it would be easier.

• by jsmcallister on 7/29/12, 2:18 PM

  I had to read this article twice to make sure I was understanding it right. I honestly see zero benefit in this approach. It does not speed up the login process at all. The only thing it accomplishes is not requiring the user to remember a password. Additionally, it puts way too much power in the hands of random email servers. What if my email system at the office goes down for a few hours. Am I locked out of all websites too?

  I do agree with his point that memorizing passwords can get cumbersome, especially with different sets of rules for different logins. However, the majority of people store their passwords in their everyday browser or just stay logged in indefinitely.

  The real solution to "doing away with passwords" lies in recognition technology on devices. What if my keyboard could recognize my identity and pass that along to authorized sites as login credentials? What if my iPhone could do the same? I'll defer the argument of privacy in visiting sites where you don't want your identity revealed for another time.

• by crcsmnky on 7/29/12, 2:58 PM

  What's the overlap of users who (a) have trouble with login forms and (b) leave their email open all the time (whether browser or dedicated app)? This relies on a very high level of comfort with email and context switching.

  This could potentially introduce an increase in spam if users are now instructed to click on links in emails blindly as long as they match a site that they're familiar with.

  Leaving one app/tab for another seems like bad UX to me. This doesn't seem any better than the OAuth dance, even if it uses a much more seemingly familiar mechanism.

• by dazbradbury on 7/29/12, 4:15 PM

  On OpenRent [1] we're using the Google Identity Toolkit [2]. We're finding that in our current configuration it works extremely well, even for non technical users.

  It offers password-less log-in, and also remembers your username/email client-side. The only issue is lack of support for facebook/twitter log in out of the box - but that is apparently in development.

  It doesn't seem to be widely adopted, and that is possibly due to the reliance on Google servers it adds to your service. Whether that comes back to haunt us or not I don't know - but I have a backup system in place in case GITKit does stop working!

  [1] - http://www.openrent.co.uk

  [2] - https://developers.google.com/identity-toolkit/

• by sturadnidge on 7/29/12, 5:57 PM

  I honestly don't understand a lot of the comments in here. For starters, many websites (eg Twitter) require email confirmation for new signups and password resets. This is not so different, the UX related commentary is superficial at best. After the initial activation / a reset you're back to cookie based auth, just like most sites.

  Second, there is not a single mention of the biggest problem with passwords currently: the apparent inability of many sites to store them securely. I'll take this method of authentication over a password based one any day for probably 90% of the sites I have an account with currently. Especially sites like HN (not implying insecure password storage on HN - just saying for any forum based sites, it's more than adequate IMHO).

• by javajosh on 7/29/12, 6:57 PM

  Ben, I like where you're going but I think we need to go just a little bit further to make it viable. In particular, it's email that's the weak link (so to speak). But it's entirely possible and desirable to replace email with something that has emails positive qualities without it's drawbacks. I'm thinking a secure, realtime channel to which only you have access, and a notification system that let's you see (on all your devices) what got posted there. Anyone (or anything) in the world can post to it, and they are guaranteed that you'll get first crack at the data. (In this case the data is a one time URL).

  What sort of thing represents a secure, real-time channel to which only you have access? Note that, unlike email, we are not interested in queueing messages in this channel. My first thought runs to a public URL, a place where anyone can post anything, and it will appear on all your devices (possibly within the browser).

  So basically as long as you maintain credentials to access that channel, sites have a good way to give you a one-use login URL.

  In an ideal world, you're browser would have a password protected private key and knowledge of what your personal URL is. All sites requiring login would ask the browser for that URL, and the site would send a one-time login URL to the channel URL, and the browser would be smart enough to just follow the link.

  Bam, login nirvana.

• by woah on 7/29/12, 3:42 PM

  OK, so i am going to go out on a limb here and assume that this WILL piss off a portion of your users.

  That being said, can it work "halfway"? It seems the main benefit of this approach (from a UX standpoint, disregarding security etc.) would be to simplify things for people who always use one device and forget and reset their passwords all the time anyway.

  What one could do is to simply reverse the prominence of the "enter password" and "reset password" steps of your login flow.

  Enter your email, and get a big fat "Get Login Link" button below the field. Next to it is a small link that says "use password"

• by carsongross on 7/29/12, 1:29 PM

  For most cases, I think the ideal is identity tied to the device/browser via an email address:

  https://login.persona.org/

• by MatthewPhillips on 7/29/12, 2:06 PM

  This is how Staticloud[1] works. You put in your email address and receive a log in link. You never have to register; registration and login are the same process.

  [1] http://staticloud.com/

• by lorewarden on 7/29/12, 6:30 PM

  I remember being intrigued by Google's "Sesame" experiment (covered on HN at https://news.ycombinator.com/item?id=3469692) where they logged you in via a QR code processed via your mobile.

  Relying on something you have (mobile phone with a trusted app on a trusted network) instead of something you know (passwords) can be an interesting choice. Ideally you'd require both (something you know and something you have), but we want to avoid passwords.

• by sirwitti on 7/29/12, 3:13 PM

  First things that come to my mind are privacy problems. This autocomplete would make it really easy to find out whether a person uses the service. (dating sites, porn sites, torrent sites, political sites,....). Additionally if the ologin happend only via the mail address, you could collect email addresses very easily from many websites.

  Anyway, I like the idea of questioning the current way of user authentication!

• by mandeepj on 7/29/12, 7:51 PM

  I also felt login process should be simplified. I got two types of registration forms at my new website (www.survenator.com) - one is express where user only enters their email address and a highly secured password is email to them. Other is the complete registration form. Although the form is still kept very short. Users can change their passwords\other account information anytime.

  Express registration may work for well for those who have hard time coming up with strong passwords or don't want to think about a password while doing another new registration. We started this feature as an experiment and will evolve\refine it based upon the usage.

  Once the user confirms their account if they selected "remember me" checkbox then we don't require them to login, we just check for authentication cookie.

  I do not agree with the author regarding his vision for "password reset tool feature to send the link in the email". Sometimes users want to take control of their password and do not want to remembered for security reasons.

• by maxlemons on 7/30/12, 9:41 PM

  I've been working on a demo of something similar. It's a work in progress, but I've got it running at http://nopassword.alexsmolen.com. Code at https://github.com/alsmola/nopassword.

  Not only can you register and login with only and email, you can review and revoke your active sessions.

  People who are complaining about the speed of email - the session could last indefinitely until you log out, which would reduce the number of times you had to perform the ceremony. Plus, think about the benefits of this when you need to authorize a TV, phone, etc. You can simply visit a link in your email instead of copying and pasting or typing in those form factors.

  I'd also like to integrate SMS to support optional dual-factor authentication, which should get help fix the single point of trust problem.

• by mollstam on 7/29/12, 1:24 PM

  Sending link to e-mail is exactly as dependent on third party as OAuth.

  Non-power users (11 yo kids) maybe don't always have their inbox open/session active.

  Best case scenario with one e-mail entry for multiple devices stand in conflict with link only being usable once.

  Don't get me wrong, I think passwords are horrible but this post was just made in too much of a hurry.

  Interesting topic!

• by freshhawk on 7/29/12, 6:26 PM

  Am I crazy in thinking that this whole problem should have been solved a long time ago by making password management a responsibility of the browser, either by baking it in or mediating the exchange?

  Combined with a simple standard for credential exchange (get request to example.com/login to get the list of required fields, post to https://example.com/login to login. Or more likely, some existing standard that handles more cases and is already thought out) this whole annoying problem is no longer affecting every person who uses the web.

  Is it too late for this? I feel that it probably would be very difficult to make this work now, it's too late and the browsers wouldn't go up against google and facebook who now want to own and track your identity.

  That makes me sad, that kind of stagnation cuts off whole important areas of progress for web users.

• by IceCreamYou on 7/29/12, 5:49 PM

  I actually implemented a system very much like this on an internal company network recently. For that purpose, it worked great. I don't think it would work in an open, public context, not least because an attacker can force your site to spam its users. However, when you are going to stay logged in forever on basically the same devices, having an email-based login system without a password is no more pain for the user than a verification email (since that's all you're doing anyway). Essentially you're relying on the website to generate a local, device-specific, secure password instead of requiring the user to create and remember a (likely insecure) password themselves.

• by Sami_Lehtinen on 7/29/12, 4:00 PM

  Why accounts should have anything to do with email or email address. It's bad policy and I hate it. We all know that email isn't secure. For many sites I would like to disable password recovery due these inherit security issues related to email. If you ever login to Gmail, after that you have always clear all cookies and cache data and possible super cookies. After that you would need to login (again) to email to uh oh, access other sites. Afaik this is super bad idea. Naturally you could save the link as bookmark, which would work. But security would still suck.

• by stcredzero on 7/29/12, 4:31 PM

  Apple should augment a single sign-in mechanism with a transparent 2nd factor embodied in the iPhone. This would result in your being automatically logged into any participating site while using Safari on the same LAN as your iPhone. The mechanism would fall back to the traditional password if you don't have the phone. Bluetooth could also be used to communicate to the hardware.

  The hardware would only run signed Apple firmware and be separated from the CPU and most of the rest of the device, except for access to radios.

• by drcube on 7/29/12, 6:58 PM

  Outside of transfering money, I think you should structure your site so that logins are not necessary. For example, if I wasn't the only "drcube" on Hacker News, I wouldn't be upset. Names in meat space aren't unique, why should we expect them to be on the web?

  Next time you think about starting a web service (that doesn't handle money!), think about what you lose by getting rid of user accounts entirely. It probably isn't much.

• by uptown on 7/29/12, 7:39 PM

  A way to streamline this even further might be to pair it with a browser extension designed to poll your inbox for these specific messages. When received, the extension could handle the login step, eliminating the need for the user to jump to their inbox for the validation email. I'm not sure if that kind of extension could be created so that it didn't compromise the security of your inbox.

• by kevinSuttle on 8/3/12, 4:28 PM

  I don't think it's the order of the elements, I think it's the combination of the elements and the process of entering them. See Ford's (yes Ford's) experiment for proximity based automatic login/logout with your phone.

  http://www.fastcodesign.com/1670097/ford-schools-apple-with-...

• by Johngibb on 7/29/12, 5:53 PM

  I definitely find this topic interesting and have a hard time remembering all my passwords, but I'm not fan of this solution. Honestly, how isn't this just a worse implementation of OAuth? It seems equivalent to clicking a "login via gmail" button, except with more of a lag?

• by spartas on 7/29/12, 2:08 PM

  Here's an idea, if you allow me to choose From a list of users, then I'll continuously "spam" other users' inboxes with login link messages.

  We could suggest that Facebook implement something like this. Seeing a login control containing 950MM names would be rather comical.

• by empire29 on 7/29/12, 4:56 PM

  At a very high level, I like this idea. It would be great if there was browser support to super-persist the auth tokens (cookies) through cookie-clearing and also sync between browsers on machines -- most likely via a browser plugin.

• by agscala on 7/29/12, 5:37 PM

  So going from a "bad" login form with 6 controls to a "simpler" login where I now have to interact with the site's form, my browser, and my email client is somehow better?

  This is just silly and a login form like this would drive me crazy

• by Spoom on 7/29/12, 4:31 PM

  This means the second someone loses access to their email account, they lose access to every account on every system attached to it via this method. I'm not sure introducing a single point of failure is a good idea.

• by rocky1138 on 7/29/12, 2:39 PM

  Sending people away from your website in order to access your website is bad UX.

• by bbwharris on 7/29/12, 1:38 PM

  I personally think this could work. The big show stopper occurs on a shared computer. It would be annoying to get logged out of a service daily and have to request a new email link to log back in.

• by shyn3 on 7/29/12, 1:44 PM

  Thinking of it for enterprise users it could really work.

  Enterprise users seem to be on Outlook all the time checking their e-mails so this would work if you can't tie your passwords into AD/Exchange.

  Maybe have an option to have a token that can be entered or a link clicked.

  I get all my e-mails on my phone so if I received a code that I can enter in my phone that can work. I could also click a link in Outlook and be logged on.

  Now if someone has my phone which is receiving my e-mails and they enter the e-mail on a website and receive the secure login we got a big problem. I don't know how to get around that.

  Interesting discussion, but some flaws. I would think it requires some sort of 2-factor auth to save people whose e-mail addy is compromised.

• by ef4 on 7/29/12, 2:13 PM

  Please, somebody figure out how to get us over the hump to the bright future day when we all have asymmetric keys embedded in hardware and we can leave passwords behind.

• by kbatten on 7/29/12, 7:26 PM

  I have a text document on my computer that lists all the websites/programs with username/password. I also use autocomplete (which IMO is basically the same as having a document with all passwords.) I can have unique passwords for every single website without relying on a third party cloud solution. And for the passwords I use often, I have them memorized anyway.

  If something is compromised (which has happened) then I have a list of every single site where I have an account, and can change the passwords.

  A side benefit to this is if someone needs to access something (most likely while traveling, or if I'm dead) all the information is there for them.

• by pbreit on 7/29/12, 2:53 PM

  The problem with "solutions" like these is that they start with faulty premise that "passwords are broken". This particular idea sounds like death by a million cuts.

• by jjm on 7/29/12, 4:01 PM

  I don't want people knowing what services I signed up for even if mainstream. Anytime you leak any user info you potentially weaken security.

• by spullara on 7/29/12, 7:43 PM

  This could really work well paired with an phone app that gets notifications instead. I use a VPN system that works like that.

• by Kwpolska on 7/29/12, 2:55 PM

  About the autocompletion: big privacy breach, would immediately quit and probably tell some authority about such stuff.

• by lukeholder on 7/29/12, 1:19 PM

  having the user select field list all users is not so bad, but the email a login link is a terrible idea, this is a break is workflow worse than a password.

  Even most incompetent users like my mum save their password into the browser keychain so it ends up bring only a single click anyway.

  Things like browserID are solving this far more simply.

• by dewey on 7/29/12, 2:22 PM

  and you still need a password to access your email account. let's assume you are at a friends place and want to login somewhere...you have to grab your phone to get your secure webmail password, login on gmail/etc. click the link. a real timesaver...

• by therandomguy on 7/29/12, 3:36 PM

  What happens when multiple people use a device? Like iPad or family computer?

• by skue on 7/29/12, 6:10 PM

  So what happens when someone's email account is compromised?

  Currently there's a fair chance that the victim can reset passwords and change contact info for their online services before the hacker bothers to do so. But this would be impossible if email were used as the sole form of authentication.

• by pknerd on 7/29/12, 7:46 PM

  What if someone forgets the password of email system? :)

• by renas on 7/29/12, 2:41 PM

  Passwordless authentication done right is a subject in here, try to break the auth and let me know...

  http://news.ycombinator.com/item?id=4291856

• by drivebyacct2 on 7/29/12, 7:03 PM

  This exact system was just on the front page last week.

  Just use BrowserID.