Pros and Cons of Passwordless Login via E-Mail

by
FRANS and LINDA REIJNHOUDT
on

Passwordless login is a joy for users and developers and it is as safe as password reset by e-mail.

Introduction

Managing user accounts is cumbersome. Storing and handling passwords in a secure way, balancing easy to remember and strong passwords, answering questions from users who lost their password and users who mix up their user name and e-mail address.

Normally, developers implement four use cases if users have to login: "user registers", "user logs in", "user forgot password" and "user changes password". In light of current password breaches, it is also a burden for users, because they have to come up with many strong and memorable passwords.

The constant demand for strong passwords is a problem.

The solution is to get rid of them and rely on e-mail accounts, where users are probably already logged in to.

Enter passwordless logins for websites.

Passwordless Login

Passwordless login is a joy for developers and users, because there is only one, simple use case: "user logs in". They type their e-mail address, receive an e-mail, click the link and are logged in.

Passwordless login is a joy for developers and users.

There are various ways to secure this process. Developers can invalidate the link right after it is used, so it can't be re-used. They can expire the link after some time (e.g. one hour). They can verify that the browser where the user logged in is the same as the browser where the e-mail address was entered (e.g. by setting and verifying a cookie or comparing IP-addresses). And they can end all previous sessions for a user that logs in.

Pros

Users don't a have a password, so there is nothing to generate, forget, store, write down or mistype and they don't have to worry about password theft.

The most important pro is that there are no passwords.

Developer don't have to deal with passwords, so there are no password policies, less questions for the helpdesk and no passwords to salt, hash, store and compare.

Cons

The most important con is that users need e-mail access. Some users do not have that on all locations (e.g. work vs. home). Users need to switch from the website to their inbox to the website again. And they have to wait, because e-mail is not instantaneous.

Some preliminary research shows that most users click the link within twenty seconds after entering their e-mail address. Presumably most users have their inbox open in another window or tab.

The most important con is that users need e-mail access.

Furthermore, many users are not familiar with passwordless login. They may be scared or at least hesitant to enter their e-mail address. Hopefully this is just a matter of time.

Developers must handle the case where users change their e-mail address. Depending on the purpose of the website, developers can deny access to the previous account, add the new e-mail address to the previous account or transfer the data from the old account to the new account.

Because an e-mail account is involved, there is a lot of fear, uncertainty and doubt about passwordless login.

The following cons are real cons, but they apply to almost all websites that require login.

A hacker who gains access to a users e-mail account also gains access to their passwordless accounts. This problem obviously is not limited to passwordless websites, because all websites that support password reset by e-mail are vulnerable. The recovery process after regaining access to the e-mail account is comparable in both cases.

A spammer can use the passwordless website to spam a known e-mail address. But spamming known e-mail addresses is possible in many ways, for example with websites that the owner of the e-mail address probably uses and that support password reset by e-mail. This could be further discouraged by adding a captcha or a time-out.

Two Implementations

NARCIS provides access to information about scientific research in the Netherlands. Researchers are able to login passwordless and update their information, because their e-mail addresses are already in their profile. Researcher data doesn't change often. If the previous login happened a long time ago, users will probably reset their password anyway. As a special benefit, implementing passwordless login did not change the data model.

DIAWEB calculates the result of individual psychological tests. This information is only intended for psychologists, so all e-mail domains of Dutch mental health professionals were white-listed. Psychologists with an e-mail address on the whitelist can login directly and unknown e-mail addresses are reviewed manually. As a special benefit, users who switch jobs are unable to access test results from clients of their former employer.

Other Options

Conclusion

Passwordless login is a joy for users and developers. There are no passwords and the workflow becomes simple and consistent.

There are security risks, that are basically the same as for websites that support password reset by e-mail.

Further Reading