You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I thought about it in the early days of Shield, but decided to postpone consideration. There's not a lot of open research on passwordless at the moment.
The implementations I've read about seems to rely on sending tokens via email. Essentially, it's a single factor authentication using emailed tokens instead of passwords.
Email security is unreliable, so using it once in a while (eg: in password resets) may be acceptable. Relying on it regularly (eg: for logins) is questionable risky.
I may have skimmed through a paper (probably by Microsoft), that talks passwordless using public key crypto. This has worked for SSH for a long time; I guess the web is a different ball game.
Passwords must go at some point. But I think we need more extensive and conclusive research on alternatives.
The implementations I've read about seems to rely on sending tokens via email. Essentially, it's a single factor authentication using emailed tokens instead of passwords.
Email security is unreliable, so using it once in a while (eg: in password resets) may be acceptable. Relying on it regularly (eg: for logins) is questionable risky.
The gist of my choice in going with email magic links is in fact considering that password resets are magic links (some lazy/smart? people were using these as such before the advent of password managers). With password resets, the password or the email account can be compromised to have illegitimate access to your app. Without passwords, only the email account has to be compromised. I'm just putting the burden of security authentification in the hands of the email provider alone.
Passwords must go at some point. But I think we need more extensive and conclusive research on alternatives.
Passwordless login is a divisive authentification approach (mostly UX wise) but it has its benefits (https://medium.com/findworkco/password-less-login-df0354c3f3ee and https://medium.com/findworkco/password-less-login-continued-9f61bfda0175).
I'm implementing it by expanding/abusing the email confirmation logic from https://github.com/stephendolan/lucky_jumpstart but it'd be great if there was a cleaner upstream implementation.
Is this something you would consider adding ?
Also, this login method is often complemented with social logins. I can open a separate issue if that enters the scope of Shield.
The text was updated successfully, but these errors were encountered: