Your thoughts about password-less, email-only sign up forms?
Password-less, email-only sign-up form. I'll give it a try.
What do you think about this type of authentication?
For me as a user, it looks simple, is quick to fill.
I'm curious how does it look from a security perspective?
Trending on Indie Hackers
I love it. We use passwordless at hookdeck.io (hookdeck.io/signup) and we haven't had a single complain nor have seen significant bounce. It simple to integrate and you simply can't leak passwords, great pick for a startup. As a caveat, I think that only works if you application can justify fairly long TTL on your session. For banking and such, long TTL would come with it's own concerns and asking the using to open their mailbox at every single login would become obnoxious really quickly.
I see that hookdeck has switched to password auth now, may I ask what prompted the change?
Good catch, it's been a little while, but essentially we've found that our users rather store their passwords in a password manager. Our audience is pretty technical, and nearly everyone uses one!
i'm using it for my current project... really fun.
Really we need figures from the wild, but:
Some people say they hate passwordless email logins and claim they refuse to sign-up with them (I have no proof if this is true).
Passwords are brokenmeaning without enforcing strong passwords some of your users will choose ones that are easy to guess (so you may find your service reported as 'hacked').Passwordlessenables you to effectively enforce a certain strength of password."Educated" users will use a password stronger than the level you enforce (so your passwordless scheme weakens their security).
Email was never intended as a secure means to communicate passwords.
Email addresses should be encrypted in the database to protect against breaches which means you send to the submitted email and need to be careful you don't fall for a known obscure email hack.
I'm sure there's more to say but that said, I like them :)
From a perspective point of view I imagine most users would feel ok if the rest of your site looked trustworthy but as said we need figures from the wild really.
I think it is a pretty good idea. The first time I encountered it, it wasn't great because they didn't explain what was going on. More recently, the sites I've encountered it on do a much better job of setting expectations, so I know I will be able to set my own password once I confirm the link I get sent.
The point I take from all this - let the user know what will happen.
as @rab said on point (1), I prefer password to passwordless (but don't hate them).
I think it is more secure, allow easier access with password managers, don't lock me with a certain mail provider.
I kinda "dislike" passwordless login with magic link though, because I need to open email to login to a website.
Ooh it's interesting to hear someone mention email-vendor lock in. I've always thought that it was uncommon for people to change email providers.
How do you stop spambots from submitting fake emails?
It depends on how the passwordless auth was implemented. For Magic, the passwordless auth company I work for, if a fake email was submitted, the user's account is safe. The token included in the magic link email is only privileged to verify a login request from the device and/or browsing context that initiated the request. An attacker would require physical access to the user's device and unencrypted email inbox to be malicious.
If you're curious to learn more about Magic's passwordless auth security, here's a very awesome article: https://docs.magic.link/security. Hope you enjoy as much as I did 🤓
I think I'd use reCAPTCHA
I don't think just using email for user signup is a bad idea. I'm guessing you'll be sending them a confirmation link so that people just cannot sign up for other people? When they click the confirmation link, they get to pick a password? But then why not just let them pick a password to begin with? Just thinking out loud. I guess the question is what is the signup flow and which would your users find least annoying.
ALl the best!