- People have already been building auth flows that take this password amnesia into consideration. Look at Anthropic. It's just one way of doing auth and I personally hate it.by threatofrain - 1 week ago
- Email accounts are the highest common denominator in online authentication. Phones are competitive, but people lose phones. Phone numbers are more common and durable, but the security of phone numbers is leagues below that of a flagship provider email account. It makes sense that so many authentication flows work this way.by tptacek - 1 week ago
When designing a "fantasy football" alternate authentication system for the Internet, start with account recovery: what happens when a user loses your fancy authenticator? If the answer is "they just don't get access anymore" or "a panel of their peers attests to them", your fantasy authentication system also needs a fantasy species of sentient beings to serve as users, because it won't work for humans.
- I never thought of using password reset as a permanent authentication method. Ingenious!by ivanjermakov - 1 week ago
Except when the service throws you back to the login page to authenticate with a fresh password you just typed in the reset form.
- As long as the email account is secure, and the throw-away one-time passwords are good, you have the frequent-rotation passwords security advocates dream about. Indeed, hand them a secure password they have to use (and forget).by jonnycomputer - 1 week ago
- “It offers a guaranteed, repeatable, low-effort solution”by prng2021 - 1 week ago
Doesn’t this answer the question? I would have preferred to read and discuss what they believe to be better alternatives.
- You posit a good question but it would be interesting to take a step further and discuss some potential alternatives, or expand on why "email is authentication" is/isn't the best option there is.by Hugsun - 1 week ago
- I’ll be hyperbolic and say the login flow is identical.by paulgerhardt - 1 week ago
A) Go to website, click through a password manager to copy and paste an arbitrary string of characters, receive TOTP request sent to your email to confirm your identity.
Or
B) Go to website, click forgot my password. Receive link to login. Enter an arbitrary string of characters.
In many instances, login flow B is actually quicker and seldom slower.
Clicking the “remember me” checkbox has no effect.
- Somewhat related discussion from yesterday: https://news.ycombinator.com/item?id=41468486by cyrnel - 1 week ago
- Some apps enforce this flow, e.g. there is no way to log in with a password. I hate this.by jwr - 1 week ago
Because of the developers of these apps assuming that E-mail guarantees instant delivery (it doesn't), I can't use greylisting, which reduced spam very significantly.
- Because websites used emails as an identity, strictly in order to stop malicious use.by TZubiri - 1 week ago
An email ties a user to a domain, the domain issues a user for them. If too many users from a domain are malicious, the website can block the domain.
It's a matter of identity and accountability.
- At this point why not just pass a one-time url link to your email address, and have it be a single click to login? Have it expire within 10 mins if not used, and be one-time use disposable. Still, anyone who has the link initially should be able to login with your account - but it's only accessible from your email.by dogcomplex - 1 week ago
Obliterates all sense of security beyond the email account itself, but that's where we're at anyway. Do the same pattern with a message to your phone "click to authenticate login: www.someurl.com?p=134234535" and you've got 2FA without any dumb "enter this code".
- Identity is tricky. Proving who you are depends on a certain level of trust. Whether it's through email, devices, phones, or, in more advanced settings, some sort of digital certificate; you won't have much options.by fmeyer - 1 week ago
Unless you're in Germany using a service provided by the Vogons, you might end up getting a letter containing an activation PIN via snail mail or worst having to visit the post office to show your passport.
- The second component of this, for people that doesn’t care to do good track of their passwords, is that their email passwords are usually memorable in the wrong way. So both your mail and all the dependent services are all held together with the same weak clip.by gmuslera - 1 week ago
Double factor improved a bit this, or at least made it harder to break into this to some of the players, and simplified the process for some others.
- The problem is just that despite all the advantages it would bring, people won't pay for auth as a service, where your identity is tied to accounts outside of an email address, and you (say) get a browser/phone notification to log in when you log in with MyAuthProvider and it's quick. They'd rather go through the email route, which is the same thing but slower and goes via Google.by robertlagrant - 1 week ago
- I swear the McDonald’s app for the U.S. works like this on purpose. I’m prompted for my email then thus send me a link. They never ask me to set up a password.by jt2190 - 1 week ago
- > When I ask people why they do this, they either don’t have an answer, or respond with “huh, I never thought about why”. And that’s interesting to me.by tqi - 1 week ago
I do this because I don't care enough about the particular account or use it frequently enough to manage put more effort into it.
- Interestingly enough, that is the login flow Figma is using with my account. I provide my email address, and get an email that contains a linkt to log me in.by MrGilbert - 1 week ago
I remember having seen this idea at other places before. I don't really like it, because for me, using a password manager makes everything already quite convenient.
- I’ve seen sites that cut out the forgotten password step, or passwords entirely… email is the authentication.by al_borland - 1 week ago
1. Type in email address
2. Get sent and email with code
3. Enter code to login
While I can understand why someone might do this, as someone with multiple emails I kind of hate it. I had to add it to my password manager with the email and a note, so I remember which one to use and it’s not missing a password.
- I'm surprised we don't have a standardized, cross-browser, simple, email-based authentication system.by miki123211 - 1 week ago
Basically something like this:
1. Website generates random string as challenge, sends to Browser, invokes API via JS on the client side.
2. Browser asks user to select the email to use, allows adding a new one.
3. Browser sends its auth token and challenge string to Browser Maker, Browser Maker verifies that the auth string is valid, signs email address and challenge with its public key, transmits signature back to Browser.
4. Browser sends data back to Website, Website verifies that the signature matches and that Vendor is trusted, lets user in.
As an extra precaution against Vendor being hacked, Email providers could implement support for the system. Compliant providers would handle the email verification flow themselves, informing Browser maker when done and sending an extra certificate. Websites would then refuse to accept any logins where Email Provider indicated support (via DNS records) but its certificate wasn't included.
This would also make the system usable in small (and therefore untrusted) browsers, as long as the email provider implemented support.
It would even improve privacy, Browser Maker and Email Provider would only ever see the random challenge string, which would make it impossible to track the websites you visit.
THe idea isn't hard to implement, we've had the tech to do it since the 90's (US restrictions on crypto notwithstanding). What we have instead is a mess of passwords that nobody can remember and proprietary authentication flows with horrible developer experience, terrible privacy issues and spotty website support.
- I wish sites would acknowledge the need for a nerd mode that gets rid of all the stuff that annoys nerds and is essentially password or lockout, no resets. Enable reset methods or 2fa at your own whim.by eaglemfo - 1 week ago
For the rest you can do weird stuff that doesn't work on nerds.
- Well, yeah, “magic link” is a thing and one of the easiest form of authentication supported by many providers, like Supabase, Vercel and libraries like Next Auth.by monus - 1 week ago
Another great side effect is that your backend doesn’t have to store user passwords which means removal of a lot of compliance headaches.
- I am one of those people who always clicks "forgot password", and sorry but it's actually fine. I type a long, completely nonsense sequence of words and characters for my new password, then ctrl-c to copy, then log in with that password, and then promptly forget it.by montroser - 1 week ago
It cannot be more secure to store it in a password manager than not to store it at all. The email recovery path exists in either case, so that part is a wash.
- When you sign in at Home Depot, it defaults to sending you an email that you can click to sign in. And I absolutely hate it.by OptionOfT - 1 week ago
There is a tiny link at the bottom that allows you to sign with a password, which I prefer.
- Any strong 2 factor authentication without the kind of high touch processes that a bank can afford is a corporate suicide pact. 10% or so of your users will be permanently locked out each year and once you get past the early explosive early growth phase that turns into a near steady state instead you get radioactive decay.by PaulHoule - 1 week ago
- you could make a password optional and just login from email.by throwaway14356 - 1 week ago
I will share this great innovation of mine:
The location.hash is not send to the server. You can javascript it into a POST rather than a GET.
- A physical key you have put in your computer and store on your keychain.by mozzieman - 1 week ago
- not sure i get what this article's point isby deisteve - 1 week ago
its the go to pattern because its the most resilient and intuitive
we've been using emails for a long time and it makes sense that it became the go to authentication method
- This is actually a really good use-case for PGP. Opt-in use to upload the pubkey and, if provided, encrypt automated e-mails like auth links and password reset.by 3np - 1 week ago
Facebook supported this for years, not sure why they recently deprecated it.
- I hadn't realised until reading this, that I use this exact method for Best Buy.by melody_calling - 1 week ago
Not intentionally though - I have my password stored in 1Password, so I know it's correct, yet every time I try to purchase something through bestbuy.com I trip some sort of ATO protection that falsely claims my password is invalid.
I'm entirely willing to believe it's something on my side (ad blocker, local DNS blacklisting, etc.) but after a certain number of occurrances, you get bored trying to debug the problem and just follow the path of least resistance.
- With email being the source of identity on the internet, it's really unfortunate that the standards have largely lagged heavily behind when it comes to stronger authentication algorithms. Why is SMTP still plaintext on port 25 for MTA<->MTA? Why is STARTTLS really the best we can do? Why do we not support 2FA or mTLS or passkeys or any one of the other modern authentication mechanisms or IMAP4, SMTP, etc.. ProtonMail is ok but the hoops they have to jump through to get their stuff working is obnoxious.by packetlost - 1 week ago
- The thing is, the moment some service allows you to recover your password through email, this becomes a legitimate pattern. As long as the throwaway password is reasonably complex, the service becomes as secure as email can be (which is, imperfect)by charles_f - 1 week ago
- For seldom used (or cared about) accounts, this is pretty low friction, and most of those will keep you logged in for an extended period of time.by gunapologist99 - 1 week ago
From a perspective of one of these people, why even bother with trying to remembering a login or dealing with tools you don't have, like if you don't even have a password manager or know that they exist.
From a systems and security perspective, it could be worse. They could be reusing passwords.
- > and whether we can take advantage of people’s tendencies towards learned behaviour like this.by csomar - 1 week ago
Isn't that what some services are doing already? There is no password in Notion, you just enter your email and the password is sent to your email address.
Login with Email is like a primitive "Login with Google" where the user himself transfer the authentication token. It's still better in one area: no lockdown to a particular cloud provider. However, it doesn't address security, it just concentrate it in one place. Lose your email and now you have a much bigger problem.
- User researchers are great at making these kinds of discoveries. The basic idea is that you've got to actually watch a user when they use your site, ask some questions about what they are seeing and thinking.by 8organicbits - 1 week ago
- Disclaimer: I loathe this pattern & hope something like WebAuthn prevails instead.by runako - 1 week ago
That said, if folks are going to adopt this as a primary flow, perhaps email clients need to build in support. For OS providers like Apple, maybe this means less emphasis on the easy Passkey method and more on fixing the finicky email login flow that sites use instead?
What would a good email login flow look like? What is the "password manager" equivalent in a magic link world? On something like iOS or MacOS with Safari, could the browser/app & email client communicate to make the login seamless (after the email delay)?
Are new OS-level APIs needed for native apps such that they don't require switching apps to login? (This is a truly awful workflow.)
Should sites stop making people register with passwords at all? What is the point of passwords when auth is primarily handled through magic links?
- I used to follow this process for many of my logins (the less critical ones) before password managers were mainstream, and it was a conscious decision to do so.by pflenker - 1 week ago
It’s more secure than a) reusing an existing password everywhere and b) setting a trivial password that _just_ passes the site’s password requirements.
You can’t expect me to memorize all passwords for all different logins, especially the ones for less important sites, and especially if these sites impose their ridiculous password restrictions on me.
- This is why I've been relying on magic links via email as a sign-in/up method for my applications. Users will either default to oAuth OR they will use some generic email/password combo. The magic-link works for both sets of users and ensures that they always have instant access without having to manage yet another password.by ramijames - 1 week ago
- At this point, wouldn't "email authentication" simply be OpenID?by sgoto - 1 week ago
- >why they do thisby gloosx - 1 week ago
There is always a simple answer to such question, and it's usually about some inconvenience the service provider decided to set-up for the user. In this particular case I think the answer is obvious: email provider usually have a session which never really ends, and just sits there logged in unless the browser cache is wiped.
Make your service auth token to live for the same time as Gmail's, and as an alternative give users an ability to just login with OTP every time, but stop these unholy 12 hrs time-to-live auth token practices - your users will never log-in via password restore again.
- If I launched a startup I would absolutely use magic links for auth. Minimum friction for users.by RockRobotRock - 1 week ago
As a user, I hate it.
- It’s because password sucks.by treflop - 1 week ago
You’re supposed to not reuse passwords, but then you don’t remember passwords.
So you use a password manager. Until more recently when phones and computers came with built-in password managers, no normal person was going to download a password manager.
But even when you use a password manager, sometimes it doesn’t recognize the form fields. Or it doesn’t show it because the domain is different. Sometimes it doesn’t save a new login. The website has no direct awareness of the password manager so it’s hit and miss.
So we created passkeys. Except it’s also hit and miss. Some sites only sometimes ask for them. No site explains what they are. Some sites ask for you to login with a passkey, which you wouldn’t have yet, but then don’t ask you to setup the passkey after logging in with a password, so you never set up a passkey.
Overall authentication is a disaster and my very fiery take is overly technical people who are out of touch with normal people design authentication.
- When I ask people why they do this, they either don’t have an answer, or respond with “huh, I never thought about why”. And that’s interesting to me.by wruza - 1 week ago
Is that a storytelling touch? Users aren’t dumb or unreflective, they know that they have nowhere to store their passwords, that’s why. Even if they aware of password managers, they can work on a shared cloud pc, so switching PM accounts would be a bigger hassle.
How do you decide that using “I forgot my password” as authentication makes sense to you?
A “trash caregory” site that didn’t bother to tag its username/password/etc elements as password-saveable, thus my PM didn’t ask to save the password. That is usually enough to not give af about saving it. Happens more often than you might think.
- I use this for webpages that have weird requirements for passwords. I can never remember what I enter on those so …by wodenokoto - 1 week ago
- A lot of sites are moving to OTP instead of passwords now.by obscuretone - 1 week ago
Make Auth Gmail’s problem.
It’s not a horrible idea in theory.
- Their motivation is immediately clear to me. If you use "I forgot my password" you don't have to remember a password. And it doesn't even make your account less secure, since that pathway was going to be available to attackers regardless. I've seen websites that make that their default flow, arguing (implicitly) that having passwords at all is pointless when you can just email someone a login button, skipping a step.by soerxpso - 1 week ago
Personally, I hate it. I don't trust my email, hate that it's a single point of failure for dozens of accounts (it's not "2FA" if the second factor is the only one I need), and I'd prefer to log in with a password without any option to reset it. But alas.
- Wow, that's awful. So they abuse "forgot your password" as a login method, with the added obstacle of having to come up with a random password every time. And they don't see any problem with it. My hunch is that all these people are very non-technical users.by SPBS - 1 week ago
- And then you are blocked by google.by rmrfchik - 1 week ago
- The most common login process in China:by tsing - 1 week ago
1. Enter phone number to received a six digits code 2. Enter the code
- This one is easy:by PeterStuer - 1 week ago
First of all, 'real' people do not use password managers, and they feel a slight suspicion towards the browser 'remember password' dialog so rhey decline.
They also have some boomer uncle that told them 'never to write down passwords' for the days where people post-it them to the monitor in shared office spaces.
They also know 'not to reuse passwords' because if one site gets powned your password for everything is out there.
So they develop a heuristic for mutating their 'master' password depending on the site or app, only to get thwarted by insane (not an exaggeration) password requirement rules.
So they have to deviate from their heuristic, and will not remember the password they had to make up on the spot next time around, so a reset password email it is.
Bonus: they make up a new password, omly to be informed they can not reuse a previously used password. XD
- Login and authentication are a really big deal, and represent some of the most complex code, in one of my apps.by ChrisMarshallNY - 1 week ago
In fact, I just made a release last night, to try ensuring that we reduce the number of bad emails (I thought I could get away with eschewing the traditional “confirm email” thing —I was wrong. There’s a reason the classics are popular).
Since it is an iOS app, I can implement Sign in/up with Apple, which helps a lot.
It’s still a work in progress, though. I use the Keychain to store login info, with Face/Touch ID, to smooth the login process. Works fairly well.
- A few services are just bypassing passwords and emailing you one time codes these days and it isnt the worst idea for exactly this reason.by protocolture - 1 week ago
- at least for my privacy conscious web apps I don't even expect email for login, just a username and password.by thepra - 1 week ago
And if people really want to enable password recovery then they add their email into their profile and that data point is only used for that.
It might bother some, but I don't really want to require emails for privacy related services. My two cents.
- > I think people can’t answer why they do this because it’s not a concious decisionby kookamamie - 1 week ago
It's because that's simply the most convenient way of accessing the service. There are tens of services people use these days and passwords are seen as a nuisance. If there's an easier way of logging in, people will use it - no matter the security implications.
- The idea that someone is going to invent and remember a password for every dumb service is not real, and when you build another password based authentication system, you are doing a kind of LARP.by thatjoeoverthr - 1 week ago
Passwords are used in one of two ways:
1. a password manager guarded by a single actual password
2. the same password repeated between services
Practically every service offers e-mail recovery, so, in practice, your e-mail is your authentication.
Personal e-mail accounts are rarely replaced, not shared, and aren't reused. You've probably had your personal e-mail longer than your phone number. I've had at least five phone numbers in the life time of my current e-mail address. Other people now have those numbers.
- In general, I really am disturbed that so many websites use my email and phone number for authentication. I use authenticator and password manager apps for a reason. Using my email and phone number is both unsafe and was never approved by me. They just started doing it. Further, there's no way to turn it off.by bmitc - 1 week ago
- What are the other potential problems of the "email is authentication" pattern, under the following prescribed conditions? Maybe just these two?by will1james - 1 week ago
(Prescribed Conditions)
- "Credential Recovery" complies with OWASP ASVS and is "adequately secure".
- "Credential Recovery" is the "weakest link" of authentication. (Other authentication methods require TOTP, etc.)
(Potential Problems)
- The financial cost of sending emails.
- End-to-end response time for the "Credential Recovery" authentication process- my guess is that, since I could not find of news of this issue, these users are only a small percentage (hopeful not yet)
(Non-problems)- my guess is that users who choose "Credential Recovery" authentication over other "happy-path" authentication are willing to wait, or are use to waiting.
- If the above conditions are specified, authentication security is not compromised.
(Terms)
- "Credential Recovery" as in OWASP ASVS V2.5 Credential Recovery, or "Self-service password reset" as in Wikipedia, or "forgot password" flow.
https://en.wikipedia.org/w/index.php?title=Self-service_pass... https://owasp.org/www-project-application-security-verificat... https://github.com/OWASP/ASVS/raw/v4.0.3/4.0/OWASP%20Applica...
- "adequately secure" as in NIST SP 800-160 Vol. 1 Rev. 1, 3. System Security Concepts, 3.2. The Concept of an Adequately Secure System.
https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...
- For most people, doing stuff on computers is a matter of brute forcing it until kinda does what it's supposed to. Software is made by people who have an intricate understanding of how the underlying system works, but it's made for people who don't. When users get to a pattern that works, they stick with it. It's becoming even more common now that many schools are using tablets for education - they don't get a good feel for how a computer works. Most people don't think about it. It's just there, and they're used to things being broken, so what's a few extra clicks?by fredsted - 1 week ago
- How do you deal with the situation that you lost access to an email address (e.g. change of employer) and years later you want access to an account that turns out to be tied to that email address?by amelius - 1 week ago
- We run a pretty unserious business. That is, our users use our accounts only out of convenience. The system we've settled on is this:by lwansbrough - 1 week ago
1. User enters email
2. We send a verification code to their email
3. User enters code, is signed in "indefinitely" (very, very long cookie)
Whether or not they had an account before hand is irrelevant, we just register a new account if the email is new. The occasional user has multiple emails and sometimes creates a new account accidentally. This is an acceptable disadvantage as we've observed dramatic improvements in registration and sign in conversions.
There is some risk analysis to do here on the code lifetime and cardinality (better yet, use a lockout mechanism.) If your service isn't particularly important, I recommend this strategy.
Mail on iOS now supports this type of mechanism too (same as the Messages one-time code functionality) so it can be quite painless for some users as well.
- This is essentially the same as "sign in with Google / Facebook / etc." with added pain for the user.by osigurdson - 1 week ago
- I think it should be entirely oauth. no password neededby coding123 - 1 week ago
- If passwordless sign in is good enough for Booking.com, it’s certainly good enough for any app that I ship.by mplewis - 1 week ago
- Sometimes email is the best way. Like if you are constantly posting files to third-party file hosting services (Box, Dropbox, etc.) that are not tied to AD of the recipient you have to have a way to ensure that only people currently working at the company can access the content. SMS and TOTP do not solve this problem in the same way that email does.by internet101010 - 1 week ago
- > What if we could somehow design systems so that the people who use them evolve to use them in better ways?by zeroimpl - 1 week ago
I hate when people suggest that there is something insecure about using the password reset feature. Whether I chose to use it to get into my account without a password has no impact on the security of the account. The mere presence of this feature is what’s determining the security of my account.
Similarly, some services I use prompt me to verify via SMS or Email after I input the password, but oddly imply that using SMS is more secure than email. Makes no sense to me since either way the OTP should only be usable on this one session, and even if one is a less secure channel, it’s the presence of the weaker option in the first place that’s the problem, not the choice made by the user.
- Recently I have a harsh experience with my AWS account. I made a dumb thing, my email inbox is registered under a domain, and somehow my domain's MX record is gone and I can not receive email from AWS to authenticate to the right account to fix that MX record. So I am permanently banned away from that account due to the policy of AWSby Summerbud - 1 week ago
Quite silly, yes. At the same time, I do think this scenario can represent a possibility when people need to rely on only one way to authenticate their entry. That is really frustrating when you make dumb thing under this circumstance.
- There are two (deep) thoughts about this article.by cx42net - 1 week ago
First, about using the "Lost password", saying “huh, I never thought about why” is an easy way out with not much of a research from the author (sorry). One of the main reason people do that is because websites are enforcing dumb rules for a password that user tend to repeat on every websites (Your password must be 16 chars long, with lower and upper case, numbers and special characters. No more than 2 identical characters in a row ... yes ... I'm looking at you Twilio.com). Of course in that scenario I'll hit my keyboard in a random way and never login using my password.
But this article leads to the alternative; login via email. Some HNers here have mentioned having implemented that on their website, either by sending a one-time login link, or a verification code by email. We did that too for ImprovMX.com initially, and it has a lot of advantages (no password, no password-lost flow, no security measures for storing the password, etc). But it turns out it also have quite a few downside that we haven't thought about:
1. Emails get lost. We had quite a few support request because users couldn't connect to our service because the login email never arrived. This is a major issue, mainly when user wanted to upgrade but couldn't because of that. If you decide to implement this, you must use a really good email provider (Postmark is really good. Mailgun, not so much) 2. Emails are async. When your user goes to your website, they want to connect now. Waiting for an email can take quite some time and they might loose focus 3. Security "measures" will tell you to not indicate if the email you entered is valid or not, to avoid listing your users (... I won't go in that); If you implement login by email, it means your user will enter their supposed email, you'll tell them something like "If your email is registered on our website, you'll receive a one time login link", wait what feels like an eternity to get the login email in their inbox, and at some point wonder if the email they entered was the right one. Will try another, wait, rince and repeat.
So yeah, relying on email move all the security issues and added workflow back to a trusted service (login/lost password/2FA/OTP/etc to services like Gmail) but it will definitely add friction too.
In the end, it depends on what service you offer.
- This is why I skip the password step altogether.by ddmf - 1 week ago
We do have a list of customer email addresses already linked to the information they can view - if they enter their email address and it's in the list they get a link that will log them in for 12 hours and can see their associated data. If their email address isn't registered they're told to speak with their sales rep.
This of course trusts that email accounts are the highest level of security a user has, which it should be because so much relies on it these days.
- booking.com natively supports this "email is authentication" pattern, so you even don't have to change your password and come up with a throw-away password. They just send you a link by email, you click the link, and you are logged in.by abareplace - 6 days ago