Comments on: Passwordless login

By: Evan Prodromou

Evan Prodromou — Wed, 02 Jan 2008 17:15:26 +0000

Mike,

It would be relatively easy to make an OpenID server that only used an email ping as the authentication method. Your OpenID identity could be something like:

http://mailauth.example.com/evan@prodromou.name

…with no prior account at mailauth.example.com needed (unless you wanted to store some profile information there). This would centralize the email confirmation round-trip process, and make it easier for people with spam controls to whitelist just one confirmation server.

You could do just one email confirmation once per browser session (or even longer, at your option) — after that, you stay logged into mailauth.example.com. You wouldn’t have to confirm once for every site you log into.

This seems like it could be fun… I might try to hack it together.

By: Luca

Luca — Tue, 01 Jan 2008 21:30:12 +0000

Interesting idea… I came across this while reading up on peoples thoughts of OpenID, to me this seems a much simpler idea for avoiding the problem of forgetting passwords.

As for the problem about people who aren’t always able to access their email, this problem occurs already as most sites require you to verify your email by clicking on a link or entering a code. If you aren’t bothered about verifying your users email (most sites shouldn’t be) then you can just setup the users session once the registration is complete so they only need to click the link if it expires.

By: Mike Linksvayer » OpenID is good for something

Mike Linksvayer » OpenID is good for something — Tue, 01 Jan 2008 04:13:41 +0000

[...] In the meantime, I’m still a big fan of super simple methods of going passwordless. [...]

By: Mike Linksvayer

Mike Linksvayer — Mon, 03 Dec 2007 01:28:10 +0000

Brad Templeton explains why sites should not store plaintext passwords http://ideas.4brad.com/dont-e-mail-me-my-password

By: Mike Linksvayer » Login to Facebook monthly

Mike Linksvayer » Login to Facebook monthly — Tue, 25 Sep 2007 14:49:41 +0000

[...] because he was ticked off that Facebook constantly made him log in. He then highlighted part of my response: Why do sites force frequent logins [...]

By: Mike Linksvayer

Mike Linksvayer — Wed, 12 Sep 2007 20:19:34 +0000

Marco, cool, thanks for pointing that one out.

Crosbie, all very good points. Explains why things are the way they are and will continue to be for some time.

By: Crosbie Fitch

Crosbie Fitch — Wed, 12 Sep 2007 09:44:11 +0000

Once upon a time not everyone had a continuously accessible e-mail address.

Websites had to cater for people without them.

Even today, many people don’t have their e-mail accessible via the web, but only via a pop client on their home PC.

However, yes, for those people able to retrieve their e-mail at the time they register with a web site, e-mail based authentication is just as sufficient as a simple name/pwd pair.

But, are new sites yet able to dispense with name/pwd? Perhaps they can now offer some varieties:
1: Name/pwd - optional e-mail
2: E-mail/pwd - e-mail only occassionally accessible
3: E-mail - e-mail always accessible

Half the problem is keeping the registration process simple and familiar.

By: Marco Raaphorst

Marco Raaphorst — Wed, 12 Sep 2007 07:32:07 +0000

There’s a Dutch website which does this:
http://kopikopi.com/

No password needed for this website :)

They are located in my hometown, The Hague, Holland.

By: Mike Linksvayer » Passwordless login « the Wordpress of Lucas Gonze

Mike Linksvayer » Passwordless login « the Wordpress of Lucas Gonze — Wed, 12 Sep 2007 05:01:21 +0000

[...] 12th, 2007 Mike Linksvayer » Passwordless login Why do sites force frequent logins anyway? The real mystery is sites that do not force login every [...]