Idea: Passwordless Login with Email

A place to discuss the implementation and style of computer programs.

Moderators: phlip, Moderators General, Prelates

RThaiRThai
Posts: 22
Joined: Sat Jun 27, 2009 8:02 am UTC

Idea: Passwordless Login with Email

Postby RThaiRThai » Tue Feb 01, 2011 12:51 pm UTC

tl;dr: There are some websites that I always forget the password for and end up using forgot my password every time. What if we used a system where you get sent a unique once usable log in link every time instead of passwords, but still give users the option to log in faster by entering their password if they so choose? And regarding OpenID; I love it, but the only site I use that has it is Slashdot.

I would like to know whether this idea already exists in a recorded form, whether it has been implemented, and whether it has been patented.

I have absolutely no intention of patenting this idea. I also hear many nasty stories about people who do not pay enough attention to patents getting sued. I have asked 2 of my friends and they think it is a good idea. If nobody replies, this is at least evidence that I had the idea this point in time in case it ever becomes relevant in the future.

Instead of supplying a password to login, a user will only suppy his email address. A link will be sent to the user's email account which may be used to log in only once, and will expire after a given period of time.

A user may alternatively log in using a regular password. A user may disable either login option.

This form of logging in means it will be possible for other users to spam a user's inbox if the user's email address is known. However, the user's inbox may be spammed if his address is known regardless of whether this system is enabled through traditional means.

This form of logging in is almost identical to reseting one's password upon forgetting it. The 2 main differences are that this implementation only allows the link to be used once, and it is presented in a way such that it is the primary means of loggin in.

I would like for this method of loggin in to become universal, or to replace Facebook connect, as Facebook connect is tied to 1 company whereas a mail server may be implemented by anyone with sufficient resources.

Please comment.
Last edited by RThaiRThai on Wed Feb 02, 2011 7:27 am UTC, edited 1 time in total.

User avatar
Dthen
Still hasn't told us what comes after D
Posts: 553
Joined: Sat Jan 02, 2010 6:35 pm UTC
Location: Ayrshire, Scotland

Re: Idea: Passwordless Login with Email

Postby Dthen » Tue Feb 01, 2011 1:05 pm UTC

Why would you want this? It doesn't add any extra security and it does add extra inconvenience.
Dthen wrote:I AM NOT A CAT.

kmatzen
Posts: 214
Joined: Thu Nov 15, 2007 2:55 pm UTC
Location: Ithaca, NY

Re: Idea: Passwordless Login with Email

Postby kmatzen » Tue Feb 01, 2011 2:26 pm UTC

RThaiRThai wrote:Instead of supplying a password to login, a user will only suppy his email address. A link will be sent to the user's email account which may be used to log in only once, and will expire after a given period of time.


So, I would have to supply my email address, press the login button, navigate to my email service, login, wait for the email to arrive, open the email, click the link, and then delete the email before loggin into your site? This sounds like an awful user experience, especially when the SMTP servers get flooded with all these login emails and they become significantly delayed.

RThaiRThai wrote:I would like for this method of loggin in to become universal, or to replace Facebook connect, as Facebook connect is tied to 1 company whereas a mail server may be implemented by anyone with sufficient resources.


This is what OpenID is for. In the end, sites choose Facebook Connect over OpenID since it allows sites to augment the experience with social networking data without actually getting access to that data and the liability associated with it. Some companies like Yahoo! and Google use OpenID so that they can sway customers over from their competitor without making them sign up for a new account. Last time I checked, you can use your gmail to login to Yahoo! products like Flickr. I didn't pay attention to whether or not that used OpenID, but the idea is still the same.

RThaiRThai
Posts: 22
Joined: Sat Jun 27, 2009 8:02 am UTC

Re: Idea: Passwordless Login with Email

Postby RThaiRThai » Wed Feb 02, 2011 7:02 am UTC

kmatzen wrote:So, I would have to supply my email address, press the login button, navigate to my email service, login, wait for the email to arrive, open the email, click the link, and then delete the email before loggin into your site? This sounds like an awful user experience, especially when the SMTP servers get flooded with all these login emails and they become significantly delayed.


As I said, it is an optional feature. It is not meant to add security, or necessarily be faster. It does mean that there is 1 less password to memorize. SMTP servers getting flooded with these login emails is something I had not considered, but I do not believe the volume of login emails would be significant enough to slow down the servers.

kmatzen wrote:This is what OpenID is for. In the end, sites choose Facebook Connect over OpenID since it allows sites to augment the experience with social networking data without actually getting access to that data and the liability associated with it. Some companies like Yahoo! and Google use OpenID so that they can sway customers over from their competitor without making them sign up for a new account. Last time I checked, you can use your gmail to login to Yahoo! products like Flickr. I didn't pay attention to whether or not that used OpenID, but the idea is still the same.


I am perfectly aware of OpenID, but I am also disappointed by how infrequently it is used. This method does not require a new id; most people already have email accounts and are required to provide them when signing up with websites. Using gmail to login to products is also not the same because that is tied to one specific email provider. I do not believe sites choose Facebook Connect over OpenID mainly for the social reasons, though I would not bet on that. I think it's because Facebook is common enough that it can be practically used.

I was just at Yahoo! and did not see OpenID anywhere.
https://edit.yahoo.com/registration?.sr ... hoo.com%2F

Update: I'm being stupid http://openid.net/get-an-openid/

The only popular site I know of that uses OpenID is Slashdot. I would like OpenID to gain popularity, but I get the impression that this would be easier.
Last edited by RThaiRThai on Thu Feb 03, 2011 12:59 am UTC, edited 1 time in total.

User avatar
RebeccaRGB
Posts: 336
Joined: Sat Mar 06, 2010 7:36 am UTC
Location: Lesbians Love Bluetooth
Contact:

Re: Idea: Passwordless Login with Email

Postby RebeccaRGB » Wed Feb 02, 2011 8:10 am UTC

RThaiRThai wrote:The only popular site I know of that uses OpenID is Slashdot.

LiveJournal also uses OpenID.

I don't use any of those universal login systems, though, just because I don't necessarily want everything I do online to be linked together. I like my relative anonymity. I would like to see OpenID gain popularity as well, though, because Facebook needs competition; their influence over the Internet has gone unchecked.
Stephen Hawking: Great. The entire universe was destroyed.
Fry: Destroyed? Then where are we now?
Al Gore: I don't know. But I can darn well tell you where we're not—the universe!

User avatar
Zamfir
I built a novelty castle, the irony was lost on some.
Posts: 7602
Joined: Wed Aug 27, 2008 2:43 pm UTC
Location: Nederland

Re: Idea: Passwordless Login with Email

Postby Zamfir » Wed Feb 02, 2011 12:12 pm UTC

Why not save an email in your email account with your password on it? So if you want to login to that site, you can search your email for the relevant mail. Takes less steps for the user than your proposal.

keeperofdakeys
Posts: 658
Joined: Wed Oct 01, 2008 6:04 am UTC

Re: Idea: Passwordless Login with Email

Postby keeperofdakeys » Wed Feb 02, 2011 12:38 pm UTC

There are some sites that are doing single-use code logins, like hotmail.

User avatar
sircrayons
Posts: 86
Joined: Wed Mar 10, 2010 3:17 am UTC
Contact:

Re: Idea: Passwordless Login with Email

Postby sircrayons » Wed Feb 02, 2011 1:30 pm UTC

Why not use a password manager like KeePassX or LastPass?
"Ford, you're turning into a penguin. Stop it."

RThaiRThai
Posts: 22
Joined: Sat Jun 27, 2009 8:02 am UTC

Re: Idea: Passwordless Login with Email

Postby RThaiRThai » Wed Feb 02, 2011 3:07 pm UTC

Zamfir wrote:Why not save an email in your email account with your password on it? So if you want to login to that site, you can search your email for the relevant mail. Takes less steps for the user than your proposal.

I can see a slight advantage to what I propose. If your passwords are saved on your email and anyone ever, say, glances over your shoulder, they gain access to your account. If you change your password occasionally, that at least helps, but with the system I propose, the links are only usable once. Both have the risk of tying all your accounts to the security of one account, which I think is fine if we're talking about less important things like games and forums.

sircrayons wrote:Why not use a password manager like KeePassX or LastPass?

Firstly, this is not about me managing my own passwords, it's about making accounts easier to manage for the people who use my website. I could recommend a password manager to them, but that's a tall task to ask of somebody signing up to your site compared to just making an account. I hate websites that ask you to download a special program to use them, and for the most part avoid them.

As for myself, I am considering using a password manager, but I haven't investigated them in depth yet. I am concerned about portability. If I use a password manager, will I still be able to effectively log in from other computers?

SammyIAm
Posts: 37
Joined: Wed Oct 10, 2007 4:50 am UTC

Re: Idea: Passwordless Login with Email

Postby SammyIAm » Thu Feb 03, 2011 10:10 pm UTC

This system actually has some appeal for me. There are definitely some sites that I use so infrequently (PayPal for example) that I have to reset my password every single time. And this solution wouldn't be any less convenient, and most likely slightly more convenient.

OpenID does take care of the "I can't remember the password" issue, but as RebeccaRGB pointed out:
RebeccaRGB wrote:...I don't necessarily want everything I do online to be linked together. I like my relative anonymity....

The reason I don't remember my password for these sites is because I rarely go there, and I don't necessarily want accounts there to be linked to an OpenID that I use for a lot of stuff. PayPal is good example here too, I may not want to have my OpenID that I use for all my social networking linked to my PayPal account.

There's technical limitations like spamming, but in reality I don't think they would be any more prevalent with this method than others.

keeperofdakeys
Posts: 658
Joined: Wed Oct 01, 2008 6:04 am UTC

Re: Idea: Passwordless Login with Email

Postby keeperofdakeys » Thu Feb 03, 2011 11:05 pm UTC

SammyIAm wrote:OpenID does take care of the "I can't remember the password" issue, but as RebeccaRGB pointed out:
RebeccaRGB wrote:...I don't necessarily want everything I do online to be linked together. I like my relative anonymity....

The reason I don't remember my password for these sites is because I rarely go there, and I don't necessarily want accounts there to be linked to an OpenID that I use for a lot of stuff. PayPal is good example here too, I may not want to have my OpenID that I use for all my social networking linked to my PayPal account.

There's technical limitations like spamming, but in reality I don't think they would be any more prevalent with this method than others.

The biggest risk is your openid provider trying to link together all the sites you visit. This is probably something that Facebook would do as well, with all its off-site logins. If you roll your own openid server, then the separate websites would have to compare notes to track you; this could be done with usernames and passwords today, although it would be slightly less effective.

kalleguld
Posts: 2
Joined: Fri Feb 11, 2011 7:09 am UTC

Re: Idea: Passwordless Login with Email

Postby kalleguld » Fri Feb 11, 2011 7:14 am UTC

Lifehacker does something akin to what the OP suggested.
If you want to post a comment, and you are not logged in, you just fill in your email address and write your comment.
Then you'll recieve a mail with a link, so they can confirm it's you, and after confirming, the comment is posted under your name.

gorcee
Posts: 1501
Joined: Sun Jul 13, 2008 3:14 am UTC

Re: Idea: Passwordless Login with Email

Postby gorcee » Fri Feb 11, 2011 6:25 pm UTC

It's far simpler to have a fixed set of passwords for various applications where security really doesn't matter a lot.

I have a standard password, a modification on that password (for when password length requirements don't suit the original), and brute-force secure password (random combination of upper/lower/number/symbol).

I don't use any of these in anything that is sensitive. And let's face it, 95% of the stuff I do online isn't sensitive. Say you get my XKCD forum password. What are you going to do with it? Make some posts under my name making me look like a jerk? Hell, I do that well enough on my own. Even still, is that really the best use of anyone's time such that I have to care?

User avatar
Emu*
Posts: 689
Joined: Mon Apr 28, 2008 9:47 am UTC
Location: Cardiff, UK
Contact:

Re: Idea: Passwordless Login with Email

Postby Emu* » Mon Feb 14, 2011 1:00 pm UTC

Stackoverflow.com and other stackexchange sites use OpenID as one of their login options, with special shortcut buttons for those wanting to use google as their OpenID provider.
Cosmologicon wrote:Emu* implemented a naive east-first strategy and ran it for an hour, producing results that rivaled many sophisticated strategies, visiting 614 cells. For this, Emu* is awarded Best Deterministic Algorithm!

fulldecent
Posts: 7
Joined: Mon Dec 10, 2007 9:20 pm UTC

Re: Idea: Passwordless Login with Email

Postby fulldecent » Sat Apr 07, 2012 2:32 pm UTC

Passwords are a joke except for the 1% of sites users care about (gmail, banks, facebook). If you run a larger site, set a 100-year cookie when someone logs in (in addition to your normal session cookie, which times out as normal). Then track your login page:
* what percent of users that already have an account (100-yr cookie set) remember their password
* what percent of users that already have an account click forgot password and then login
* what percent of users that already have an account click forgot password and then leave
* what percent of users that already have an account give up and don't even try

Post your results if you are allowed, along with the sector and number of visitors per month.


Return to “Coding”

Who is online

Users browsing this forum: No registered users and 9 guests