Ask HN: Why not always log in via mail pin code and skip the password?

2 points by fileeditview ↗ HN
So I was again resetting one of my thousands of accounts because I didn't remember the password and I wondered about passwords in general. I have simple question.

Why do we not use one time pin codes sent via mail for logging into websites?

As in: enter your login name and the system sends a pin to your email which is valid for 5 minutes and stops working after login.

So far I don't see the security risk since we have the option to reset a password with the email anyways. If someone gains access to your mail, you always lose.

I must be missing something.. what is it?

8 comments

[ 4.0 ms ] story [ 27.9 ms ] thread
It's more steps and slower if you do know/have saved the password, instant mail delivery is not guaranteed, people log in on devices they do not have the associated email setup, ...
I agree about the time delay that may happen. This is a valid argument but maybe that wouldn't be so bad if you stayed logged in with cookie/session (you rarely need to log in). It is at least faster than resetting passwords :)

You don't really need the email setup on the device as long as you have a smartphone (which basically everyone has).

sounds like a load of assumptions (meaning people caught in the cases where your assumption is wrong) for a small time gain for small group of people that rely on resetting their password to login? (seriously, get a password manager!) Would make more sense to make the password recovery flow convenient if that's the goal.

Plenty people do not have email setup on their smartphones at all (especially younger or older ones), or not the right email set up on their smartphones (i.e. don't have work mail on their phones). And I'm not happy at sites that insist on me getting up and walk to fetch my phone without good reason.

I don't want to force anyone to use this method but to offer an additional way of access.

Password managers are probably the best solution for passwords but my question is rather how can we do better than passwords.

If you can reset your password via email it’s effectively a login mechanism - you’re right. I guess passwords are quicker so it’s another more convenient login mechanism. There are a lot of other “prove you are who you say you are” mechanisms: SMS, rotating auth keys, hardware tokens, biometrics. All with upsides and downsides in security and usability.

Passwords that humans remember are on the low end of both security and usability, so I understand your frustration! Password managers work fine but really they’re duct tape pretending to be something like a hard token.

I’ve seen websites do what you say - always log in with an email verification. It’s not bad. My favorite is a push notification to my phone + watch.

1) This will turn your phone SIM into a "master password" - equivalent to using the same password for all your accounts. If a "bad guy" steals your SIM (physically or by tricking the phone company into reassigning the SIM), he will be able to log into every single account you have.

2) It will be a slow PITA when using a computer. While it would less of a PITA on a phone because you can copy-paste the code, phones are awkward and sub-optimal for many uses and many web pages.

The sequence becomes...

1. Open an web page on your computer

2. Receive a reset code on your phone some time later (seconds, sometimes a lot longer, sometimes never)

3. Read a sequence of random letters or numbers off the phone and accurately type it into your computer

> 1) This will turn your phone SIM into a "master password" - equivalent to using the same password for all your accounts. If a "bad guy" steals your SIM (physically or by tricking the phone company into reassigning the SIM), he will be able to log into every single account you have.

Gaining access to the phone would give one master access. But this is usually the case anyways because you can reset all passwords via mail.

Stealing the SIM won't give you access to the mail though.

> 2) It will be a slow PITA when using a computer. While it would less of a PITA on a phone because you can copy-paste the code, phones are awkward and sub-optimal for many uses and many web pages. [...]

I agree about the delay of email. That's bad. Typing a few digits is not really a problem.. you are typing your password also aren't you?

You’re missing that email can actually be quite slow for reasons. I’ve had a problem where I hadn’t logged into Twitch for a long time, and it wanted me to enter a one time code, which they mailed me.

The email took so long that the login code was expired. This was on GMail.

But then again, Slack and apps like Overcast use your method.