Allow logging in without a password

Kye Kitsune 8 years ago updated by Digby (Community Manager) 7 years ago 5

The latest episode of FA Security Theater showed once again the fundamental flaws with passwords.


tl;dr: send a token embedded in a URL by email, or the token by SMS, instead of requiring passwords. Medium is actually a good proof of concept for this. You can log in just by putting in your email address. They email a link, you click, and you're in. Email remains a weak link, but that was already the case. It'll matter less as more people adopt two-factor authentication for their email accounts.

Seems like it's just adding extra steps and hassle for something that shouldn't be a problem anyway, provided the site is properly secured and users are smart about not reusing passwords.

Perhaps adding it as an optional extra step for people who want it, but I don't see the point in making it mandatory for everyone. (Unless the intent wasn't that it's mandatory for everyone; if this is the case, then I retract my comment)


I never said anything about making it mandatory.


Comment and downvote retracted. Sorry for the misunderstanding. :)

I'm not convinced this is a good idea. You still need a verified authentication platform. If it is phone or an E-mail, if someone gains acces to it, they gain acces to all the webpages you are registered to. It's almost like using the same password evrywhere.


At this time, we're going to pass on this option; it would be complicated to develop and could potentially make accounts less secure. I do think that passwords have their flaws, and we want to keep other possible security measures in mind.