Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passwordless login (with magic link / code in email) #5

Open
rmarronnier opened this issue Dec 21, 2020 · 2 comments
Open

Passwordless login (with magic link / code in email) #5

rmarronnier opened this issue Dec 21, 2020 · 2 comments
Labels
discussion

Comments

@rmarronnier
Copy link

Passwordless login is a divisive authentification approach (mostly UX wise) but it has its benefits (https://medium.com/findworkco/password-less-login-df0354c3f3ee and https://medium.com/findworkco/password-less-login-continued-9f61bfda0175).
I'm implementing it by expanding/abusing the email confirmation logic from https://github.com/stephendolan/lucky_jumpstart but it'd be great if there was a cleaner upstream implementation.
Is this something you would consider adding ?
Also, this login method is often complemented with social logins. I can open a separate issue if that enters the scope of Shield.
@akadusei
Copy link
Contributor

akadusei commented Dec 21, 2020
edited

No, not now.

I thought about it in the early days of Shield, but decided to postpone consideration. There's not a lot of open research on passwordless at the moment.

The implementations I've read about seems to rely on sending tokens via email. Essentially, it's a single factor authentication using emailed tokens instead of passwords.

Email security is unreliable, so using it once in a while (eg: in password resets) may be acceptable. Relying on it regularly (eg: for logins) is questionable risky.

I may have skimmed through a paper (probably by Microsoft), that talks passwordless using public key crypto. This has worked for SSH for a long time; I guess the web is a different ball game.

Passwords must go at some point. But I think we need more extensive and conclusive research on alternatives.

@rmarronnier
Copy link
Author

rmarronnier commented Dec 22, 2020
edited

Thanks for your detailed answer.

The implementations I've read about seems to rely on sending tokens via email. Essentially, it's a single factor authentication using emailed tokens instead of passwords.

Yes, I'm putting aside non-email based solutions (biometrics / hardware crypto / sms / ...).

Email security is unreliable, so using it once in a while (eg: in password resets) may be acceptable. Relying on it regularly (eg: for logins) is questionable risky.

The gist of my choice in going with email magic links is in fact considering that password resets are magic links (some lazy/smart? people were using these as such before the advent of password managers). With password resets, the password or the email account can be compromised to have illegitimate access to your app. Without passwords, only the email account has to be compromised. I'm just putting the burden of security authentification in the hands of the email provider alone.

Passwords must go at some point. But I think we need more extensive and conclusive research on alternatives.

I'll let the security experts chime in :-)

@akadusei akadusei added discussion enhancement New feature or request and removed enhancement New feature or request labels Dec 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@akadusei @rmarronnier