Pros and Cons of Passwordless Login via E-Mail
Passwordless login is a joy for users and developers and it is as safe as password reset by e-mail.
Managing user accounts is cumbersome. Storing and handling passwords in a secure way, balancing easy to remember and strong passwords, answering questions from users who lost their password and users who mix up their user name and e-mail address.
Normally, developers implement four use cases if users have to login: "user registers", "user logs in", "user forgot password" and "user changes password". In light of current password breaches, it is also a burden for users, because they have to come up with many strong and memorable passwords.
The constant demand for strong passwords is a problem.
The solution is to get rid of them and rely on e-mail accounts, where users are probably already logged in to.
Enter passwordless logins for websites.
Passwordless login is a joy for developers and users, because there is only one, simple use case: "user logs in". They type their e-mail address, receive an e-mail, click the link and are logged in.
Passwordless login is a joy for developers and users.
There are various ways to secure this process. Developers can invalidate the link right after it is used, so it can't be re-used. They can expire the link after some time (e.g. one hour). They can verify that the browser where the user logged in is the same as the browser where the e-mail address was entered (e.g. by setting and verifying a cookie or comparing IP-addresses). And they can end all previous sessions for a user that logs in.
Users don't a have a password, so there is nothing to generate, forget, store, write down or mistype and they don't have to worry about password theft.
The most important pro is that there are no passwords.
Developer don't have to deal with passwords, so there are no password policies, less questions for the helpdesk and no passwords to salt, hash, store and compare.
The most important con is that users need e-mail access. Some users do not have that on all locations (e.g. work vs. home). Users need to switch from the website to their inbox to the website again. And they have to wait, because e-mail is not instantaneous.
Some preliminary research shows that most users click the link within twenty seconds after entering their e-mail address. Presumably most users have their inbox open in another window or tab.
The most important con is that users need e-mail access.
Furthermore, many users are not familiar with passwordless login. They may be scared or at least hesitant to enter their e-mail address. Hopefully this is just a matter of time.
Developers must handle the case where users change their e-mail address. Depending on the purpose of the website, developers can deny access to the previous account, add the new e-mail address to the previous account or transfer the data from the old account to the new account.
Because an e-mail account is involved, there is a lot of fear, uncertainty and doubt about passwordless login.
The following cons are real cons, but they apply to almost all websites that require login.
A hacker who gains access to a users e-mail account also gains access to their passwordless accounts. This problem obviously is not limited to passwordless websites, because all websites that support password reset by e-mail are vulnerable. The recovery process after regaining access to the e-mail account is comparable in both cases.
A spammer can use the passwordless website to spam a known e-mail address. But spamming known e-mail addresses is possible in many ways, for example with websites that the owner of the e-mail address probably uses and that support password reset by e-mail. This could be further discouraged by adding a captcha or a time-out.
NARCIS provides access to information about scientific research in the Netherlands. Researchers are able to login passwordless and update their information, because their e-mail addresses are already in their profile. Researcher data doesn't change often. If the previous login happened a long time ago, users will probably reset their password anyway. As a special benefit, implementing passwordless login did not change the data model.
DIAWEB calculates the result of individual psychological tests. This information is only intended for psychologists, so all e-mail domains of Dutch mental health professionals were white-listed. Psychologists with an e-mail address on the whitelist can login directly and unknown e-mail addresses are reviewed manually. As a special benefit, users who switch jobs are unable to access test results from clients of their former employer.
- OAuth enables users to login using an existing account from another service, like Google, Twitter, Facebook or Mozilla Persona/BrowserID. Pros: no new password; the third party is probably knowledgeable and protects their data well. Cons: the user is not familiar with OAuth; the website depends on a third party; users need to switch from the website to the third party and back to the website; users must still login with the username and password of the third party; users might have to review and approve permissions for the website.
- SMS and IM are other ways of sending a link or token.
- Password managers are able to generate, store and sync passwords between your devices. Pros: works with existing websites. Cons: it makes users dependent on a third party.
- Apps for the mobile phone that use QR-codes or communicate directly with the website. Pros: more secure, because it also involves something that users possess. Cons: it makes users dependent on a third party; users are re-routed from the website to their mobile phone and back to the website; users can't share their website account; developers must handle the case where users change their mobile phone (number).
Passwordless login is a joy for users and developers. There are no passwords and the workflow becomes simple and consistent.
There are security risks, that are basically the same as for websites that support password reset by e-mail.
- Thinking About Passwordless Web Logins
- A Simple Password-less Authentication Protocol for Web Sites
- A Hack for Passwordless Login
- Proposal Passwordless Email Authentication
- Simple Authentication for the Web (PDF)
- If I Include a Forgot Password Service Then Whats the Point of Using a Password?
- Password Free Logins Using Your Email Address Only?
- Instant Access to Application Using Token in Url
- Is it Time for Password-less Login?
- Passwordless (a plugin for Wordpress)
- Passwordless (a module for Drupal)
- Password Login..? We Will Make it a History (a package for Joomla)