How many passwords do you use for online accounts? I have 250. That’s a conservative estimate and doesn’t include a plethora of hosting, database and SSH passwords.
Despite using management tools such as KeePass, it’s difficult to use different passwords for every site — and I certainly don’t change them as often as I should. Even then, I forget what I’ve used on specific sites. Logging in is often a matter of clicking “forgotten password”, hitting an email link, entering a new password and finally gaining access.
The average user has a couple of easily-remembered passwords for every account. There’s no guarantee every one of those sites has implemented good security measures. Perhaps passwords are stored in plain text or accessible to their staff, developers, database administrators or those working at their hosting company. Could your banking account be accessed just because you used the same credentials at dodgysite.com?
We’re using the same ID and password mechanisms we implemented at dawn of the web. But a password backlash has begun. Passwordless logins have been proposed by developers such as Justin Balthrop and implementations have arrived, e.g. passwordless.net for Node.js. The main argument: passwords are obsolete because we all have secure email and mobile SMS accounts.
Makes a lot of sense Craig. As you say, it is no more vulnerable than most (nearly all?) login/password sites as they utilize email for forgotten passwords. I am a big fan of passwordless (when appropriate) - and implemented it in a different fashion for 2 of our casual sites: LooseLeaves and DoitDoitDone. Here we just generate a unique access URL for each item. Its very low security, but also very convenient and anonymous.
I like it. I may offer this as an option to users on the next site I build. You’re right that it’s the exact same “Forgot my password” process we already use, so why not make it the normal way to log in.
In practice, I could see an approach such as this being open to abuse and would require a few additional steps such as regional locking, maximum attempts per hour/day/month, etc.
The potential for crashing the service, or racking up huge SMS bills would be quite high, and similar risks with email spamming. (A malicious person/group abusing the login page)
Steve Gibson’s SQRL idea is perhaps a much better system to relive the “annoying” part of logging in this way.
I would not want passwordless login in the way mentioned in this article. Using LastPass is plenty easy and I can use it on all my own systems, or log in to their website to retrieve passwords if on some other system.
That’s a good point. It’s also a problem that neither email nor SMS is encrypted during transit. It would take a sophisticated hacker to exploit that, but the possibility is still there. But then again, we already do this anyway – even banking sites – with “Forgot my password”.
I agree with @zackw. SQRL is the only one I’d rely on because it’s the only one I’ve seen not dependent on a 3rd party. I hope it takes off in a big way. For now, I’ll keep using 1Password to generate long, very random passwords unique to every site.
I’m not sure you would need as many security checks as standard password systems. The token link you’re sent will work only once and must be associated with the existing token you have in your browser. Even if someone obtained the link, they wouldn’t be able to use it.
As for risks of email spamming, remember that an email could only be sent to a registered user so it wouldn’t necessarily be prone to attacks. Limiting requests would be an option, though.
SMS costs could be high, but it really depends. Some services are free and it could be negligible for a small number of users. That said, I think email would be more practical in most cases.
SQRL looks interesting although you are (mostly) depending on a mobile phone with QR scanning. That may not always be an option and I’m not convinced it’d be less hassle. Nice idea though.
Despite using management tools such as KeePass, it’s difficult to use different passwords for every site
It’s not really difficult if they’re used well… I feel the same way about password managers as I do about task managers. If you don’t entirely trust and depend on your system, it’ll end up just being a burden.
On the other hand this sounds like an interesting idea to try out.
For this reason alone I would probably implement this into personal websites (don’t want to try pitching this to any clients…)
I just bank on the fact that google (gmail) has better security than I could give - thus I’ll let them safeguard my token smile .
That makes sense to me too… perhaps if more developers began using it in our own projects or in more tech-friendly communities, then the problems in this kind of system would be naturally worked out before we started pitching it to clients? And yes… regardless of the Google Evil, I trust them… way more than I trust me, to be able to safeguard my stuff. They’re just clearly more capable.
I just have a hard time believing clients would like to be the “test run”…they don’t see any other sites doing passwordless logins so why would they want to be the first? And for that matter, you are the developer - they don’t want users navigating away from their website to login. They might find that as a nuisance compared to just giving a password (plus, you are expected to be able to give them code-security…if you can’t, then there are others out there!)
Actually, SQRL also has a sqrl:// protocol handler so you can click or touch it to launch an app for authentication without using a camera to scan the QR code.
You wouldn’t be the first but, I admit, clients may not appreciate the benefits because they haven’t seen it. And, as I discussed, there are sites where it would be impractical. However, those sites you log into infrequently could be ideal - whether that’s because it’s a tool you don’t use often or the session can last a long time (e.g. a social network).
I’d go password-less until they got really serious information. But for most of the things that I use, a password is really not needed.
I use LastPass to keep all of my passwords, but even so, it’s a pain logging in on all the different devices I have. Nobody handles the mobile thing well (I have LastPass premium and it works, but not as well as the desktop version).
If your email is hacked, all your online accounts are compromised. The hacker can go to any website and click the “forgotten password” link. Passwordless login is no more or less dangerous.
Admittedly, passwordless login is more cumbersome but you’re not quite describing it correctly. For most people, it would be:
Go to site
Enter email address.
Switch to email app (most will already be logged in)
Click link in first email message.
It’s no more awkward than using a password manager with the additional benefit that you don’t have a password to forget. But I certainly wouldn’t recommend it for a system which has short session expiry times.
I may offer this as an option to users on the next site I build. You’re right that it’s the exact same “Forgot my password” process we already use, so why not make it the normal way to log in.