[STICKY][Interesting] Password-Free Email Logins

[slaveek]

Hi everyone!
I came across this article today:
Blogging Site Medium Rolls Out Password-Free Email Logins

It's sound pretty good to me.
I'm curious whats your opinion. Maybe this can be an alternative to login with Facebook, Google etc.

I know about this discussion here #664 but feature like this can bring something extremely simple to users or.... maybe not ;)

[panique]

He, this is definitly interesting! For everybody who hasn't the time reading the full article: Login works like that:

1. Sign in with email (without password!)
2. Server sends you an email with a link, like medium.com/login/[email protected]/123/hhfthhdgrdig3434DFG, where hhfthhdgrdig3434DFG is your temporary one-time-password.
3. You click the link and are logged in.

Maybe it's possible to try out this feature in HUGE in the next months :)

[JFJanssen]

Hi!

Definitely interesting. Here is something to think about, though, and leave the decision to use this login-via-email option to knowledgeable end-user:

1 IF mail password is compromised (i.e. hacked, copied, etc.), someone other then the legitimate user can now access that email account.
2 That someone else can now ask website to send login-via-email requests to that compromised mail account.
3 Access to email accounts may be gained easier then one might think, as people often use just four digits as a login on their phones / iPads, / other tablets.

So, a rather possible attack scenario seems to me:
1 Attacker watches someone enter their four-digit code
2 Attacker gets access to that device later on
3 Attacker opens mail client on legitimate users' device
4 Attacker gets site of interest to send login-via-email link to legitimate users' email account
5 Attacker deletes email after using the link in it to gain access to site of interest.

Attacker then had access from users' own device. Other then a timestamp no trace of wrongdoings is visible.

Interesting shift:
FROM: Where passwords are based on knowing a (password),
TO: login-via-email may in practice be based on knowing a (4 digit pin code) and access to an (phone / tablet / ...).

This makes the concept risky; one needs to think this through before exposing users to such risks.

[jjkirkpatrick]

Question, If you login to a website with you email address, and your email address is compromised.
you can now send a password request and gain access to any accounts using that email in most case.

So what's the difference between this and your scenario.

it sounds like what your saying is plan for every possibility which is good when you can control the situation, however this would be a case of the user not being able to keep there data safe, and your talking about actually using the users physical device so that scenario is even more less likely.

I personally think this is interesting technology and passwords are out dated.

if you had a feature like this and you wanted to just add that extra layer you could add extra step after login, where the user enters a 3 digit pin or what ever.

[tankerkiller125]

Although I agree that passwords are out of date I certainly don't agree with the whole concept of emailing the user a one time access key. For one there are way to many services that it relies on (E-Mail servers on both the server and client end being the main ones). And number two is the fact that yes many email accounts could easily be compromised by a very easy 4 number combination on someones device. I might also add that this now also means that the user will have to go to there email every time they want to log into the service. Although I think that this idea is on to something I certainly don't think that its the future or for that matter the most secure. Services like Clef are certainly on the right path if they could make it an open source platform that was easy to implement on your own both client and server side.

[abmmhasan]

I see everyone is on compromising issues. Ok everything can be compromised whatever secure now can be insecure in next seconds. Anyway, the goal of security is to secure the path. As I already said, everything can be compromised. So what if I erase something before it is discovered?

1. I prefer using 2FA turned on in your EMail accounts (I use them in Google and MS accounts which are in turn giving security to my other accounts). So this way your EMail can be a lot safe.
2. If I send a link in mail that will must contain random number in link. The length is already defined.
   Now you can say I can find that number after several try. Here is the solution for that, generate a 10 digit alpha-numeric code. & the acceptable link will expire in certain time, for example 5 minutes. Whether cracking such code with high end PC will need more than a month you are expiring it only in 5 or 10 minutes.
   Is there anything more secure than this?
   Check such random number strength in https://howsecureismypassword.net/

[panique]

Hey, I'll close this ticket as this is now linked from the readme.