|
12345 |
- title: It is (Past) Time for Passwordless Login
- url: https://medium.com/why-not/it-is-past-time-for-passwordless-login-4f468b812301
- hash_url: 7ea22ac5b5dcdbc60f85c656aef38285
-
- <p name="67bf" id="67bf" class="graf--p">Two years ago, I wrote an essay called “<a href="http://notes.xoxco.com/post/27999787765/is-it-time-for-password-less-login" data-href="http://notes.xoxco.com/post/27999787765/is-it-time-for-password-less-login" class="markup--anchor markup--p-anchor" rel="nofollow">Is it time for Passwordless Login</a>?” which proposed a design pattern that would replace passwords with a one-time use login link sent to a user’s email address or phone.</p><p name="da2b" id="da2b" class="graf--p">In short, passwordless login replaces the username and password combination with a variation on the reset password flow already found on many existing sites. To login, a user enters their email address or phone number. A link is sent to that address that, when clicked, causes the user to be logged in. <em class="markup--em markup--p-em">No password is ever collected or stored.</em></p><figure name="135a" id="135a" class="graf--figure"><div class="aspectRatioPlaceholder is-locked"><p class="aspect-ratio-fill"/><img class="graf-image" data-image-id="1*yAN4DcljM_ockIkXc3CcCQ.png" data-width="986" data-height="536" data-action="zoom" data-action-value="1*yAN4DcljM_ockIkXc3CcCQ.png" src="https://d262ilb51hltx0.cloudfront.net/max/800/1*yAN4DcljM_ockIkXc3CcCQ.png"/></div></figure><p name="4bbf" id="4bbf" class="graf--p">In the interim since I wrote my original essay, we’ve had a series of devastating hacks and data breaches where personal information has been accessed and stolen by cyber-criminals. <em class="markup--em markup--p-em">Millions of passwords</em> have been leaked onto the Internet. It now seems commonplace to hear news of “the largest data breach in history.” There are more, and more sophisticated hacking efforts going on around the world than you want to know.</p><p name="0cd7" id="0cd7" class="graf--p">It is a terrible time to own a database full of passwords.</p><p name="8ac8" id="8ac8" class="graf--p">This week, <a href="https://medium.com/the-story/signing-in-to-medium-by-email-aacc21134fcd" data-href="https://medium.com/the-story/signing-in-to-medium-by-email-aacc21134fcd" class="markup--anchor markup--p-anchor">Medium launched passwordless login</a> for their users. Slack offers <a href="http://www.uxcandy.net/slack-adds-login-magic-to-their-app/" data-href="http://www.uxcandy.net/slack-adds-login-magic-to-their-app/" class="markup--anchor markup--p-anchor" rel="nofollow">passwordless login in their iOS app</a>. Twitter offers a<a href="https://get.fabric.io/digits" data-href="https://get.fabric.io/digits" class="markup--anchor markup--p-anchor" rel="nofollow"> login-via-text tool</a> as part of their developer tools. There is a<a href="https://passwordless.net/" data-href="https://passwordless.net/" class="markup--anchor markup--p-anchor" rel="nofollow"> plug-and-play Node module. </a>This is a feasible, tested, and user-friendly way to make logging in to your app easier and more secure.</p><p name="9716" id="9716" class="graf--p">I can now say that it is <strong class="markup--strong markup--p-strong">past time</strong> for sites and application developers to adopt this design pattern. Why?</p><p name="3912" id="3912" class="graf--p"><strong class="markup--strong markup--p-strong">It is better for the user:</strong></p><ul class="postList"><li name="7bc4" id="7bc4" class="graf--li">No username or password to remember — only email</li><li name="99fc" id="99fc" class="graf--li">Less typing on mobile devices</li><li name="8f8a" id="8f8a" class="graf--li">No risk that a future breach will expose a password</li></ul><p name="4873" id="4873" class="graf--p"><strong class="markup--strong markup--p-strong">It is better for the product:</strong></p><ul class="postList"><li name="ff4d" id="ff4d" class="graf--li">Account creation, login, and password reset become simpler</li><li name="bf12" id="bf12" class="graf--li">All email addresses are verified without additional steps</li><li name="0418" id="0418" class="graf--li">There are fewer options for users to manage</li></ul><p name="3839" id="3839" class="graf--p"><strong class="markup--strong markup--p-strong">It is better for the business:</strong></p><ul class="postList"><li name="41a0" id="41a0" class="graf--li">There are no passwords to store and protect, thus less risk of a damaging data breach</li><li name="d298" id="d298" class="graf--li">There are fewer features to build and maintain</li><li name="3a6f" id="3a6f" class="graf--li">Less support is required for helping people with password problems</li></ul><p name="2c10" id="2c10" class="graf--p graf--last">Every application developer and service provider should consider going passwordless. This design pattern, particularly when used in combination with two factor authentication, server-side data encryption, and SSL will help to prevent your app from being the next to suffer an embarassing breach. And even if your app does get hacked, at least your breach will not expose user passwords that will go on to cause further breaches.</p></div>
|