Ask HN: Password-less login
How do you do it? OR, why won't it work? Where has it critically failed? After storming with this problem for a while there are two approaches that are promising to me. 1) Have users enter their email address and always use a newly generated e-mail link to login. 2) Give the user some data like a nursery rhyme that is unique to them and easy to memorize. Every time they want to access the site you ask them specific information about their nursery rhyme without revealing all the details of it. Example: Seven Goats Hopped Seven Boats With Only a Spoon to Spare. You could ask them "how many letters are in the last word of your rhyme, how many goats were there?" ... stuff to that effect. Personally, I really like the "email me a link" approach because it requires the user not learning any new passwords, although it is not as immediate for something like an admin page. That's the method I'm using for a website I'm developing.. so it's yet to be tested in the field. There are some promising projects using "select all the right emoji (or equivalent tiny symbols) that make up your password" and the whole grid changes colors/shapes/arrangement every time you enter a "digit" Sorry but I don't get it, how is the riddle different than a normal password? Some sites request certain characters of your password, which I find just slightly better than asking for the full password, but extremely more annoying for the user. Can't see the advantage of the riddle, seems to be the same approach. Also, if I have to remember a different nursery rhyme from every website out there... well, I'm sure you see the issue here. Not to mention these rhymes -or the correct answers to the related questions- would have be stored in plain text (or actually reversible encryption) at server side, instead of a hash of the user's password. The problem with the pure "email me a link" approach seems to be that breaking into an email account gets only more valuable: The rightful user can't do anything if an attacker gets access to his mail account (or even just his mails), logs into the service secured by "email me a link" and then changes the associated email address for that account. How would the rightful user ever get access to the service again that was secured by "email a link" if there is no additional secret necessary for logging in and authorizing changes to the user data? I don't see this being much different to a forgot my password email. Well the only difference is it makes it marginally quicker to carry out. Problem with the riddle approach is that there can only be so many answers. Any passive observer can infer the "password" (i.e. gain the ability to answer any of the questions) after a finite number of exchanges. Also, number of "passwords" the observer can answer grows with the number of exchanges he sees. If you want to stop a passive observer, you need to turn to encryption... but then you are back where you started. Whats about the HTML keygen element (https://developer.mozilla.org/de/docs/Web/HTML/Element/keyge...)? Or something like an SSL certificate login (http://cweiske.de/tagebuch/ssl-client-certificates.htm)? After an inital setup it should login the user automatically. I'm really happy you mentioned SSL because that appears to be the future of all logins... SSH anyway; Passwordless key-authenticated communication. How about telling them to reply something like "ok" to the email just sent on login request. That email should properly have this instruction written so that someone can copy paste that code word if required. Also, the email can have pre-built email link with the text and aprropiate sender written so that one just click it and send. Infact, this distinction of login system from the account itself can help in interesting consequences. Consider like a command-line app running (actual stuff you do after login) along with a separate command center (your email), so that you could do queries about your account like who are logged in, logout everyone, or are there any pending notifications, and even is the service properly running? But yes, people today dont like to do anything other than clicking buttons, so only geeks would be impressed with this. Checkout SQRL project