Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[STICKY][Interesting] Password-Free Email Logins #674

Closed
slaveek opened this issue Jul 9, 2015 · 6 comments
Closed

[STICKY][Interesting] Password-Free Email Logins #674

slaveek opened this issue Jul 9, 2015 · 6 comments

Comments

@slaveek
Copy link
Contributor

slaveek commented Jul 9, 2015

Hi everyone!
I came across this article today:
Blogging Site Medium Rolls Out Password-Free Email Logins

It's sound pretty good to me.
I'm curious whats your opinion. Maybe this can be an alternative to login with Facebook, Google etc.

I know about this discussion here #664 but feature like this can bring something extremely simple to users or.... maybe not ;)

@panique panique changed the title [NOT ISSUE] Password-Free Email Logins [Interesting information] Password-Free Email Logins Jul 9, 2015
@panique
Copy link
Owner

panique commented Jul 9, 2015

He, this is definitly interesting! For everybody who hasn't the time reading the full article: Login works like that:

  1. Sign in with email (without password!)
  2. Server sends you an email with a link, like medium.com/login/[email protected]/123/hhfthhdgrdig3434DFG, where hhfthhdgrdig3434DFG is your temporary one-time-password.
  3. You click the link and are logged in.

Maybe it's possible to try out this feature in HUGE in the next months :)

@panique panique changed the title [Interesting information] Password-Free Email Logins [STICKY][Interesting] Password-Free Email Logins Jul 11, 2015
@JFJanssen
Copy link

Hi!

Definitely interesting. Here is something to think about, though, and leave the decision to use this login-via-email option to knowledgeable end-user:

1 IF mail password is compromised (i.e. hacked, copied, etc.), someone other then the legitimate user can now access that email account.
2 That someone else can now ask website to send login-via-email requests to that compromised mail account.
3 Access to email accounts may be gained easier then one might think, as people often use just four digits as a login on their phones / iPads, / other tablets.

So, a rather possible attack scenario seems to me:
1 Attacker watches someone enter their four-digit code
2 Attacker gets access to that device later on
3 Attacker opens mail client on legitimate users' device
4 Attacker gets site of interest to send login-via-email link to legitimate users' email account
5 Attacker deletes email after using the link in it to gain access to site of interest.

Attacker then had access from users' own device. Other then a timestamp no trace of wrongdoings is visible.

Interesting shift:
FROM: Where passwords are based on knowing a (password),
TO: login-via-email may in practice be based on knowing a (4 digit pin code) and access to an (phone / tablet / ...).

This makes the concept risky; one needs to think this through before exposing users to such risks.

@jjkirkpatrick
Copy link
Contributor

Question, If you login to a website with you email address, and your email address is compromised.
you can now send a password request and gain access to any accounts using that email in most case.

So what's the difference between this and your scenario.

it sounds like what your saying is plan for every possibility which is good when you can control the situation, however this would be a case of the user not being able to keep there data safe, and your talking about actually using the users physical device so that scenario is even more less likely.

I personally think this is interesting technology and passwords are out dated.

if you had a feature like this and you wanted to just add that extra layer you could add extra step after login, where the user enters a 3 digit pin or what ever.

@tankerkiller125
Copy link

Although I agree that passwords are out of date I certainly don't agree with the whole concept of emailing the user a one time access key. For one there are way to many services that it relies on (E-Mail servers on both the server and client end being the main ones). And number two is the fact that yes many email accounts could easily be compromised by a very easy 4 number combination on someones device. I might also add that this now also means that the user will have to go to there email every time they want to log into the service. Although I think that this idea is on to something I certainly don't think that its the future or for that matter the most secure. Services like Clef are certainly on the right path if they could make it an open source platform that was easy to implement on your own both client and server side.

@abmmhasan
Copy link
Contributor

I see everyone is on compromising issues. Ok everything can be compromised whatever secure now can be insecure in next seconds. Anyway, the goal of security is to secure the path. As I already said, everything can be compromised. So what if I erase something before it is discovered?

  1. I prefer using 2FA turned on in your EMail accounts (I use them in Google and MS accounts which are in turn giving security to my other accounts). So this way your EMail can be a lot safe.
  2. If I send a link in mail that will must contain random number in link. The length is already defined.
    Now you can say I can find that number after several try. Here is the solution for that, generate a 10 digit alpha-numeric code. & the acceptable link will expire in certain time, for example 5 minutes. Whether cracking such code with high end PC will need more than a month you are expiring it only in 5 or 10 minutes.
    Is there anything more secure than this?
    Check such random number strength in https://howsecureismypassword.net/

@panique
Copy link
Owner

panique commented Oct 11, 2015

Hey, I'll close this ticket as this is now linked from the readme.

@panique panique closed this as completed Oct 11, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants