One of the things that bugs me about the web is having to create logins everywhere. There are lots of attempts to deal with this problem (OpenID, Facebook Connect, 1Password) etc. but they all seem to have problem or require me to do things like:
- Use only sites that implement them
- Copy and paste stuff on my phone
- Spend Money
- Trust Mark Zuckerberg
Many of these websites are just some new thing I want to try out. Â I’m not talking about sites which require high security such as bank accounts or email (if you use the same password for you email account and other random web accounts, stop reading and change it right now!).
I am talking about this weeks random new social/mashup/mobile/fu thing your sister just txt’ed you and said “Try this out, Its Awesome!”.Â These sites are all trying to get as many people to sign up as possible so the make the barrier to entry a low as possible and signup typically requires only a email and a password.Â I’m starting to think that is one thing to many. I don’t think most of these sites need to ask me for a password, they just need my email address.
How do I know this?
Since almost of these sites let me reset my password via email then my email address (and the ability to read it) is evidentially good enough authentication.
Ok yeah, I know what you are thinking, great more spam in my email, more steps to login etc. But the thing is that most of these sites also leave you logged in for a long time (forever?) and often I never go back to them after a week anyway.
In this scheme login (and in fact signup) looks like this:
- Enter your email address.
- Click login.
- Receive an email with a magic one time use key.
- Click the key and you are logged in.
Note: that anyone who tries to log in as you will cause you to get an email notifying you of the attempt…
You can also add a captcha etc in the email for the first time this login is used.
Sites can always still allow the user to update the account with passwords/2-factor/security questions etc later, but why bother unless it becomes necessary?
Sure its not the best solution for every case but nothing is.
I have played around with this idea on a demo site for myself and it seems to be workable. What am I missing?
A simple implementation using django is on github here