I swear I’ve been meaning to write up this exact idea for a long time, but Lucas Gonze does it better anyway:
It would be cool to be able to log in to a web site using just your email, without even a password. It would work just the same way that password recovery does now, except that you wouldn’t ever type in your password.
That’s it, but read the whole post for more explanation and rationale.
I just have two tiny points to add. Gonze:
I am thinking about this because Facebook constantly makes me log in, and I don’t care about it enough to memorize that password.
I’ve thought of it because I don’t know whether I can trust a site. Even if they store a hashed version of the password (I hate it when a “forgot your password?” procedure sends the one I forgot rather than generating a new password, which means they’re storing the actual password — that’s why I got a bit of a kick out of this extreme), they have access to the password I’ve selected at some point.
Of course you can effectively do this now — just register with a random password and when forced to login again, request a new password. But sites that force you to login frequently make this painful.
Why do sites force frequent logins anyway? The real mystery is sites that do not force login every session (presumably this reduces problem of people forgetting to log out of public terminals), but something longer than a session and shorter than many years. What problem is that addressing?
What about OpenID and the like? Orthogonal, and not nearly as widely deployed as email (or IM or SMS, which would also work as password recovery/routine authorization token delivery mechanisms).
On a completely different topic, check out “Cover Yourself” podcast, an awesome Gonze post I’ve been planning to say more about since July, and will eventually.