Design and UX December 8, 2019

Password-less login & sign up

Chris McCormick @chr15m

What do you think about this new trend? I first saw it on Tumblr and more recently on Notion. The idea is you only ask the user for their email, nothing else, and then you send them a validation email to log them in rather than have them set a password.

I've implemented this authentication flow on SVG Flipbook and I would love to get your opinion.

This seems like a win to me from both a user experience and a security perspective. Users aren't forced to remember as password, and their account is secure from poor passwords.

  1. 9

    I've seen it used on a few products I use occasionally. Personally, I think it's a bit annoying to open my email every time I want to log in (or when a session expires).

    1. 1

      Great feedback, thank you! Really helps to know some people dislike this a lot.

  2. 6

    Passwordless fundamentally transforms the authentication mechanism from "what you know" (= password) to "what you have" (=access to SMS, device, or your inbox). And it is still a single factor. The security of your system will entirely depend on the security of two other systems that you do not control: the delivery mechanism of the link to a device (=smtp) and the access of the device (=how you access to your inbox). If you think that those systems are much safer than what your system can guarantee for the users, than you should use passwordless. There is no significant difference in terms of the security and behavior risk between the password-based and password-less system, in my opinion.

    1. 1

      Yes there is no significant difference in terms of the security and behaviour risk. I think there is a difference from the perspective of the site owner. If you're not storing any user secrets you have less liability.

      1. 2

        Well, you shouldn't be storing/logging any user secrets anyways. They have to be hashed with a different random salt per user.

        p.s. I hare this new trend. It's very annoying. As mentioned, it doesn't add additional security but rather just makes the process more cumbersome and dependent on 2 external services (sending email server & receiving email server).

        p.p.s. this should be a forgotten password functionality only.

  3. 3

    I absolutely hate this trend. It's annoying. If I see a service that has it, I just close the tab and find somewhere else.

    People have largely solved their whole "omg I forgot my password" thing with using password managers. I don't even pay attention to any passwords, I click two buttons and 1Password fills in all the information in your sign up form, including setting a very secure password.

    When I am presented with "Lets send magic login links to your email" I see "Lets take something that should be 3 second action and make it sometimes upwards to 15 minutes to achieve" Most people who do this don't take into considerations of other stuff that comes with it, such as proper email headers and that to make sure that the email is delivered and not immediately sent to the spam folder, because the contents of the email is primarily links.

    So not only do I have to wait for however long it takes your system to send the email, and my system to receive it, but I have to 9 times out of 10 search through my spam folder trying to figure out what email of the hundreds I've gotten over the last 30 minutes is yours, click it and get logged in.

    That's the happy path. I don't even want to go into the unhappy path.

    Just implement a password, otherwise if your biggest concern is "I don't want to give users another password to remember" then use one of the tons of available social logins and be done with it.

    1. 1

      Thanks for the passionate response. Good to know how annoying this can be for people who are not me.

  4. 2

    I'd say that's a great approach to start with. But as the user base grows there is a chance that a considerable portion of users will find it annoying to always have to go to the inbox and only then login to the product/service.

    Also, even Notion has implemented the password-based login just recently https://twitter.com/NotionHQ/status/1197990669752496128
    It seems like they have reached the point where there were enough users who requested this particular option.

  5. 2

    I liked (and have used) this approach in the past but had some issues with it. In our case, a free registration gave you a public profile page with limited features which turned out to be quite inviting to a lot of spam submissions.

    This lead to us having to manage the passwordless registration process a lot more and eventually rolled it out in favour of a password enabled registration.

    Although both the password & passwordless version ended up with the same problems (both gave a public profile page with little effort), the passwordless one exposed the issue a lot more as there was a lower barrier to entry for non-legitimate registrations.

  6. 2

    I implemented it on a few products and my users like it. Especially on those where they have to login once or twice a year and so don't have to bother remembering a password.

  7. 2

    I think existing password-less methods such as email auth has some use-cases. But I wouldn't use it on just anything. For example, part of my product is event registration. I want attendees to have an account of sorts. But I don't want them to need to remember a password or even if they have an account. So I used password-less. The nice thing is that, with password-less, login and sign-up can be indistinguishable. Which works perfectly for that use case.

    However, for the admin dashboard, I use normal password auth. Because most of the users of that use password managers. And when you use a password manager, password-less is actually less convenient.

    As for security, password-less is NO less secure than any password auth where you can reset your password via email. Which is pretty much any password auth.

    Giving a password-less option is great. But I'd recommend also giving the option to have a password. Make it easy for people with password managers too.

  8. 2

    I think it's fundamentally a good move. Though I wish it was a choice and not forced.

    I for one, do not like logging into my email.

    It's also been shown that as soon as you send a user to their inbox, they can get distracted and churn right out of your signup/login.

  9. 2

    I like the social logins with setting a website password, personally it's better than email, cause 1. It's the same Gmail is the email. 2. No extra clicks and switches around app/windows..

  10. 1

    Lotta people already mentioned how inconvenient this can be, but drifting away from convenience, what happens when someone hacks your user's email account?

    Password-less login via email is a proven security flaw and should be avoided at all times except if you're doing TF Auth of which shouldn't be the only option a user has to sign-in to your app.

  11. 1

    What did you use for your authentication flow? You should check out fellow IHers trykno.com – makes it as easy as one-click login (so the user doesn't have to go to their email) and falls back to magic link if the device is not authorised.

  12. 1

    Bit of a stretch, but Metamask is an Ethereum plugin that has your account. When you login to a Ethereum site, all you do is essentially sign with the signature stored on the account. So, you go on the website, click the confirm button from the popup from Metamask and you're good to go.

  13. 1

    I think that approach was made popular by Slack when it launched https://hackernoon.com/magic-links-d680d410f8f7 we always called it the magic link.

  14. 1

    Seems like a decent idea, as long as the account they're logging into meets certain requirements.

    1. Isn't a paid service.
    2. Not an op-ed/social-network service.
    3. Isn't for confidential services like banks, healthcare, etc.

    If I hack your email, that's all I need to access multiple accounts.

    So as a hacker, I'm:
    Getting paid services for free
    Saying anything I want on social media, as you
    etc

    Having said that, a hacker has a larger agenda than getting free access to you or I's paid saas service.

    1. 2

      Most passworded service allow you to restore account by email with nothing else.
      So that is still true today for most services.

      1. 1

        You're absolutely right. I hope we're starting to move away from that more and more.

        1. 1

          It's a security flaw developers overlook. From experience, I've noticed it's most common amongst developers with little to no experience in app security auditing. I remember WordPress used to mail username & password to admins back then before switching.