Ask HN: Why not always log in via mail pin code and skip the password?
So I was again resetting one of my thousands of accounts because I didn't remember the password and I wondered about passwords in general. I have simple question.
Why do we not use one time pin codes sent via mail for logging into websites?
As in: enter your login name and the system sends a pin to your email which is valid for 5 minutes and stops working after login.
So far I don't see the security risk since we have the option to reset a password with the email anyways. If someone gains access to your mail, you always lose.
I must be missing something.. what is it?
8 comments
[ 4.0 ms ] story [ 27.9 ms ] threadYou don't really need the email setup on the device as long as you have a smartphone (which basically everyone has).
Plenty people do not have email setup on their smartphones at all (especially younger or older ones), or not the right email set up on their smartphones (i.e. don't have work mail on their phones). And I'm not happy at sites that insist on me getting up and walk to fetch my phone without good reason.
Password managers are probably the best solution for passwords but my question is rather how can we do better than passwords.
Passwords that humans remember are on the low end of both security and usability, so I understand your frustration! Password managers work fine but really they’re duct tape pretending to be something like a hard token.
I’ve seen websites do what you say - always log in with an email verification. It’s not bad. My favorite is a push notification to my phone + watch.
2) It will be a slow PITA when using a computer. While it would less of a PITA on a phone because you can copy-paste the code, phones are awkward and sub-optimal for many uses and many web pages.
The sequence becomes...
1. Open an web page on your computer
2. Receive a reset code on your phone some time later (seconds, sometimes a lot longer, sometimes never)
3. Read a sequence of random letters or numbers off the phone and accurately type it into your computer
Gaining access to the phone would give one master access. But this is usually the case anyways because you can reset all passwords via mail.
Stealing the SIM won't give you access to the mail though.
> 2) It will be a slow PITA when using a computer. While it would less of a PITA on a phone because you can copy-paste the code, phones are awkward and sub-optimal for many uses and many web pages. [...]
I agree about the delay of email. That's bad. Typing a few digits is not really a problem.. you are typing your password also aren't you?
The email took so long that the login code was expired. This was on GMail.
But then again, Slack and apps like Overcast use your method.