When designing a "fantasy football" alternate authentication system for the Internet, start with account recovery: what happens when a user loses your fancy authenticator? If the answer is "they just don't get access anymore" or "a panel of their peers attests to them", your fantasy authentication system also needs a fantasy species of sentient beings to serve as users, because it won't work for humans.

1. User enters email

2. We send a verification code to their email

3. User enters code, is signed in "indefinitely" (very, very long cookie)

Whether or not they had an account before hand is irrelevant, we just register a new account if the email is new. The occasional user has multiple emails and sometimes creates a new account accidentally. This is an acceptable disadvantage as we've observed dramatic improvements in registration and sign in conversions.

There is some risk analysis to do here on the code lifetime and cardinality (better yet, use a lockout mechanism.) If your service isn't particularly important, I recommend this strategy.

Mail on iOS now supports this type of mechanism too (same as the Messages one-time code functionality) so it can be quite painless for some users as well.

Obliterates all sense of security beyond the email account itself, but that's where we're at anyway. Do the same pattern with a message to your phone "click to authenticate login: www.someurl.com?p=134234535" and you've got 2FA without any dumb "enter this code".

Passwords are used in one of two ways:

1. a password manager guarded by a single actual password

2. the same password repeated between services

Practically every service offers e-mail recovery, so, in practice, your e-mail is your authentication.

Personal e-mail accounts are rarely replaced, not shared, and aren't reused. You've probably had your personal e-mail longer than your phone number. I've had at least five phone numbers in the life time of my current e-mail address. Other people now have those numbers.

There is always a simple answer to such question, and it's usually about some inconvenience the service provider decided to set-up for the user. In this particular case I think the answer is obvious: email provider usually have a session which never really ends, and just sits there logged in unless the browser cache is wiped.

Make your service auth token to live for the same time as Gmail's, and as an alternative give users an ability to just login with OTP every time, but stop these unholy 12 hrs time-to-live auth token practices - your users will never log-in via password restore again.

1. Type in email address

2. Get sent and email with code

3. Enter code to login

While I can understand why someone might do this, as someone with multiple emails I kind of hate it. I had to add it to my password manager with the email and a note, so I remember which one to use and it’s not missing a password.

Not intentionally though - I have my password stored in 1Password, so I know it's correct, yet every time I try to purchase something through bestbuy.com I trip some sort of ATO protection that falsely claims my password is invalid.

I'm entirely willing to believe it's something on my side (ad blocker, local DNS blacklisting, etc.) but after a certain number of occurrances, you get bored trying to debug the problem and just follow the path of least resistance.

A) Go to website, click through a password manager to copy and paste an arbitrary string of characters, receive TOTP request sent to your email to confirm your identity.

Or

B) Go to website, click forgot my password. Receive link to login. Enter an arbitrary string of characters.

In many instances, login flow B is actually quicker and seldom slower.

Clicking the “remember me” checkbox has no effect.

Personally, I hate it. I don't trust my email, hate that it's a single point of failure for dozens of accounts (it's not "2FA" if the second factor is the only one I need), and I'd prefer to log in with a password without any option to reset it. But alas.

It’s more secure than a) reusing an existing password everywhere and b) setting a trivial password that _just_ passes the site’s password requirements.

You can’t expect me to memorize all passwords for all different logins, especially the ones for less important sites, and especially if these sites impose their ridiculous password restrictions on me.

Is that a storytelling touch? Users aren’t dumb or unreflective, they know that they have nowhere to store their passwords, that’s why. Even if they aware of password managers, they can work on a shared cloud pc, so switching PM accounts would be a bigger hassle.

How do you decide that using “I forgot my password” as authentication makes sense to you?

A “trash caregory” site that didn’t bother to tag its username/password/etc elements as password-saveable, thus my PM didn’t ask to save the password. That is usually enough to not give af about saving it. Happens more often than you might think.

Doesn’t this answer the question? I would have preferred to read and discuss what they believe to be better alternatives.

An email ties a user to a domain, the domain issues a user for them. If too many users from a domain are malicious, the website can block the domain.

It's a matter of identity and accountability.

Except when the service throws you back to the login page to authenticate with a fresh password you just typed in the reset form.

For the rest you can do weird stuff that doesn't work on nerds.

I hate when people suggest that there is something insecure about using the password reset feature. Whether I chose to use it to get into my account without a password has no impact on the security of the account. The mere presence of this feature is what’s determining the security of my account.

Similarly, some services I use prompt me to verify via SMS or Email after I input the password, but oddly imply that using SMS is more secure than email. Makes no sense to me since either way the OTP should only be usable on this one session, and even if one is a less secure channel, it’s the presence of the weaker option in the first place that’s the problem, not the choice made by the user.

You’re supposed to not reuse passwords, but then you don’t remember passwords.

So you use a password manager. Until more recently when phones and computers came with built-in password managers, no normal person was going to download a password manager.

But even when you use a password manager, sometimes it doesn’t recognize the form fields. Or it doesn’t show it because the domain is different. Sometimes it doesn’t save a new login. The website has no direct awareness of the password manager so it’s hit and miss.

So we created passkeys. Except it’s also hit and miss. Some sites only sometimes ask for them. No site explains what they are. Some sites ask for you to login with a passkey, which you wouldn’t have yet, but then don’t ask you to setup the passkey after logging in with a password, so you never set up a passkey.

Overall authentication is a disaster and my very fiery take is overly technical people who are out of touch with normal people design authentication.

That said, if folks are going to adopt this as a primary flow, perhaps email clients need to build in support. For OS providers like Apple, maybe this means less emphasis on the easy Passkey method and more on fixing the finicky email login flow that sites use instead?

What would a good email login flow look like? What is the "password manager" equivalent in a magic link world? On something like iOS or MacOS with Safari, could the browser/app & email client communicate to make the login seamless (after the email delay)?

Are new OS-level APIs needed for native apps such that they don't require switching apps to login? (This is a truly awful workflow.)

Should sites stop making people register with passwords at all? What is the point of passwords when auth is primarily handled through magic links?

I remember having seen this idea at other places before. I don't really like it, because for me, using a password manager makes everything already quite convenient.

I do this because I don't care enough about the particular account or use it frequently enough to manage put more effort into it.

First of all, 'real' people do not use password managers, and they feel a slight suspicion towards the browser 'remember password' dialog so rhey decline.

They also have some boomer uncle that told them 'never to write down passwords' for the days where people post-it them to the monitor in shared office spaces.

They also know 'not to reuse passwords' because if one site gets powned your password for everything is out there.

So they develop a heuristic for mutating their 'master' password depending on the site or app, only to get thwarted by insane (not an exaggeration) password requirement rules.

So they have to deviate from their heuristic, and will not remember the password they had to make up on the spot next time around, so a reset password email it is.

Bonus: they make up a new password, omly to be informed they can not reuse a previously used password. XD

Quite silly, yes. At the same time, I do think this scenario can represent a possibility when people need to rely on only one way to authenticate their entry. That is really frustrating when you make dumb thing under this circumstance.

Because of the developers of these apps assuming that E-mail guarantees instant delivery (it doesn't), I can't use greylisting, which reduced spam very significantly.

We do have a list of customer email addresses already linked to the information they can view - if they enter their email address and it's in the list they get a link that will log them in for 12 hours and can see their associated data. If their email address isn't registered they're told to speak with their sales rep.

This of course trusts that email accounts are the highest level of security a user has, which it should be because so much relies on it these days.

Isn't that what some services are doing already? There is no password in Notion, you just enter your email and the password is sent to your email address.

Login with Email is like a primitive "Login with Google" where the user himself transfer the authentication token. It's still better in one area: no lockdown to a particular cloud provider. However, it doesn't address security, it just concentrate it in one place. Lose your email and now you have a much bigger problem.

In fact, I just made a release last night, to try ensuring that we reduce the number of bad emails (I thought I could get away with eschewing the traditional “confirm email” thing —I was wrong. There’s a reason the classics are popular).

Since it is an iOS app, I can implement Sign in/up with Apple, which helps a lot.

It’s still a work in progress, though. I use the Keychain to store login info, with Face/Touch ID, to smooth the login process. Works fairly well.

There is a tiny link at the bottom that allows you to sign with a password, which I prefer.

From a perspective of one of these people, why even bother with trying to remembering a login or dealing with tools you don't have, like if you don't even have a password manager or know that they exist.

From a systems and security perspective, it could be worse. They could be reusing passwords.

Unless you're in Germany using a service provided by the Vogons, you might end up getting a letter containing an activation PIN via snail mail or worst having to visit the post office to show your passport.

Double factor improved a bit this, or at least made it harder to break into this to some of the players, and simplified the process for some others.

It's because that's simply the most convenient way of accessing the service. There are tens of services people use these days and passwords are seen as a nuisance. If there's an easier way of logging in, people will use it - no matter the security implications.

Basically something like this:

1. Website generates random string as challenge, sends to Browser, invokes API via JS on the client side.

2. Browser asks user to select the email to use, allows adding a new one.

3. Browser sends its auth token and challenge string to Browser Maker, Browser Maker verifies that the auth string is valid, signs email address and challenge with its public key, transmits signature back to Browser.

4. Browser sends data back to Website, Website verifies that the signature matches and that Vendor is trusted, lets user in.

As an extra precaution against Vendor being hacked, Email providers could implement support for the system. Compliant providers would handle the email verification flow themselves, informing Browser maker when done and sending an extra certificate. Websites would then refuse to accept any logins where Email Provider indicated support (via DNS records) but its certificate wasn't included.

This would also make the system usable in small (and therefore untrusted) browsers, as long as the email provider implemented support.

It would even improve privacy, Browser Maker and Email Provider would only ever see the random challenge string, which would make it impossible to track the websites you visit.

THe idea isn't hard to implement, we've had the tech to do it since the 90's (US restrictions on crypto notwithstanding). What we have instead is a mess of passwords that nobody can remember and proprietary authentication flows with horrible developer experience, terrible privacy issues and spotty website support.

1. Enter phone number to received a six digits code 2. Enter the code

Facebook supported this for years, not sure why they recently deprecated it.

its the go to pattern because its the most resilient and intuitive

we've been using emails for a long time and it makes sense that it became the go to authentication method

And if people really want to enable password recovery then they add their email into their profile and that data point is only used for that.

It might bother some, but I don't really want to require emails for privacy related services. My two cents.

As a user, I hate it.

Make Auth Gmail’s problem.

It’s not a horrible idea in theory.

It cannot be more secure to store it in a password manager than not to store it at all. The email recovery path exists in either case, so that part is a wash.

I will share this great innovation of mine:

The location.hash is not send to the server. You can javascript it into a POST rather than a GET.

First, about using the "Lost password", saying “huh, I never thought about why” is an easy way out with not much of a research from the author (sorry). One of the main reason people do that is because websites are enforcing dumb rules for a password that user tend to repeat on every websites (Your password must be 16 chars long, with lower and upper case, numbers and special characters. No more than 2 identical characters in a row ... yes ... I'm looking at you Twilio.com). Of course in that scenario I'll hit my keyboard in a random way and never login using my password.

But this article leads to the alternative; login via email. Some HNers here have mentioned having implemented that on their website, either by sending a one-time login link, or a verification code by email. We did that too for ImprovMX.com initially, and it has a lot of advantages (no password, no password-lost flow, no security measures for storing the password, etc). But it turns out it also have quite a few downside that we haven't thought about:

1. Emails get lost. We had quite a few support request because users couldn't connect to our service because the login email never arrived. This is a major issue, mainly when user wanted to upgrade but couldn't because of that. If you decide to implement this, you must use a really good email provider (Postmark is really good. Mailgun, not so much) 2. Emails are async. When your user goes to your website, they want to connect now. Waiting for an email can take quite some time and they might loose focus 3. Security "measures" will tell you to not indicate if the email you entered is valid or not, to avoid listing your users (... I won't go in that); If you implement login by email, it means your user will enter their supposed email, you'll tell them something like "If your email is registered on our website, you'll receive a one time login link", wait what feels like an eternity to get the login email in their inbox, and at some point wonder if the email they entered was the right one. Will try another, wait, rince and repeat.

So yeah, relying on email move all the security issues and added workflow back to a trusted service (login/lost password/2FA/OTP/etc to services like Gmail) but it will definitely add friction too.

In the end, it depends on what service you offer.

(Prescribed Conditions)

- "Credential Recovery" complies with OWASP ASVS and is "adequately secure".

- "Credential Recovery" is the "weakest link" of authentication. (Other authentication methods require TOTP, etc.)

(Potential Problems)

- The financial cost of sending emails.

  - my guess is that, since I could not find of news of this issue,
    these users are only a small percentage (hopeful not yet)

  - my guess is that users who choose "Credential Recovery"
    authentication over other "happy-path" authentication are willing
    to wait, or are use to waiting.

- If the above conditions are specified, authentication security is not compromised.

(Terms)

- "Credential Recovery" as in OWASP ASVS V2.5 Credential Recovery, or "Self-service password reset" as in Wikipedia, or "forgot password" flow.

https://en.wikipedia.org/w/index.php?title=Self-service_pass... https://owasp.org/www-project-application-security-verificat... https://github.com/OWASP/ASVS/raw/v4.0.3/4.0/OWASP%20Applica...

- "adequately secure" as in NIST SP 800-160 Vol. 1 Rev. 1, 3. System Security Concepts, 3.2. The Concept of an Adequately Secure System.

https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...

Another great side effect is that your backend doesn’t have to store user passwords which means removal of a lot of compliance headaches.