Unless I'm misunderstanding something, if someone has access to my email they can just login right?
That doesn't sound very safe. Does this use some form of OTP that's passed via a special URL that only works with the mobile app? If so that sounds better than what I'm thinking.
Well, that's true of most services, right? If they have access to your email, they can just click the 'reset password' link on a site and use the resulting email link to log in.
me too.. it's more likely to be a token that's cookied and sent over SSL per api request. Same token that would get generated if they auth'ed via password.
> if someone has access to my email they can just login right?
The article says that it's a one-time link, so I assume that means that the same link can't be used twice. If someone had access to my email, they'd have to use that link before me, which is a very small window of time (submitting the form in the app and then opening an email, ~15 seconds tops).
Or, you know, just request a new login link, use it and delete the email. If they are fast enough you won't even notice the notification on your phone.
"Why do you need people's name and email? The above screenshot looks like an APP. You already have a way to reach them: in-app notifications. And why do you need their name until they purchase something?"
But ironically, the resulting page said "Please enter correct password. Spam free wordpress." LOL
As for name and email -- Shop It To Me is not just an app but also a website and email service and so we need a way to link them all together. If we did not have an email and the member lost their phone, they'd lose their account forever.
> You already have a way to reach them: in-app notifications.
People have to opt-in to in-app notifications. If they press no intentionally or accidentally, recovery is far, far more difficult. Email is much easier and more controllable than notifications.
> Email is much easier and more controllable than notifications.
True, but not for the user. I would much rather accept notifications than type in my email address. I avoid the risk of getting spammed, don't need to decide what email to use, don't need to decide if I trust the developer. And with app notifications, the ability to unsubscribe is much more consistent and reliable.
I don't think this is a great solution for highly sensitive information like banking - most people have lots of different devices that receive their email and just one "weak" link could give malicious access.
That being said, for sites this that are more concerned with "verification" than "authentication" this seems like a viable approach.
It seems not much less secure than a system that lets you reset your password simply by clicking a link in an email (which is to say, most password-based systems on the web). Either way, once you have access to the email account, you can authenticate.
So this is essentially delegating authentication to the user's Email service. Delegating authentication seems like a good idea: fewer passwords to forget and more conveniene. So why not delegate to a proper authentication service like OpenID?
(Seriously, that's a question: Why don't more people use OpenID? Is there something wrong with it?)
> So this is essentially delegating authentication to the user's Email service. Delegating authentication seems like a good idea: fewer passwords to forget and more conveniene. So why not delegate to a proper authentication service like OpenID?
Because the user is more likely to have email than OpenID, so delegating to an option of one or the other is more complex, and delegating to only the latter is limiting your market.
But either way the user has to sign up to something. When you delegate to Email you still have to initially create an account with the site's specialised authentication system. You'd just replace that process with creating an OpenID account.
But yeah, I guess saying "now go to this 3rd party website and create an OpenID account" is pretty ugly. I wonder if it's possible to have your own "sign up" page that's a proxy for creating an OpenID with a 3rd party provider?
Mozilla Persona [0] is a similar system that IMO would work quite well, but unfortunately there is very little adoption. It's kind of weird and sad to think about quality/usability of software versus the adoption of said software.
There was an interesting discussion of the problems of Persona here https://news.ycombinator.com/item?id=7243141
(this is kind of in the middle of a conversation but has the first post by Saurik which is the interesting bit)
OpenID is basically a permanent man-in-the-middle. It's otherwise great, so long as you don't mind your OpenID identity provider knowing about every site/service you use, and every time you choose to use them. Persona is a big step forward in that regard, but neither get around the fact that, in most cases, users are going to be entrusting control over a bunch of their accounts to a third party.
OpenID Connect is what you'd want to support, not OpenID 2.0. Google, probably the largest OpenID provider, is shutting down OpenID 2.0 support altogether in a year, and has turned off access to new clients as of this month. Thus, issue 1: access to your app is suddenly reliant on a third party, who can at any point decide to turn that access off.
Issue 2: tech-phobic people don't trust OpenID, OAuth, etc. I'm working with a client who wanted "single sign on" with a tolerated competitor in the same space (nonprofit, don't ask); that competitor's tech guy advocated for OpenID, and OpenID became a hard requirement. The problem: the client's membership fought tooth and nail throughout alpha & beta rollouts (change is scary. are we giving google/yahoo our information? we don't understand it. we're not a bank, why do we need tighter authentication? etc) and it was eventually scrapped in favor of a traditional login.
I don't know who started this, but I've noticed recently after installing Slack app on Android that they went the same way. I found it very convenient. After all anyone can reset my password using email so why bother creating it all? Just send me the auth token as link in email. The app registers itself to open on such link and it works nicely.
I think this is a positive move. My gmail for instance is one of the better-protected services I use: I have a ludicrous password and 2FA. The reset options only include dialling my mobile (not voicemail) or emailing another account (which isn't otherwise associated with me to anyone who knows me), which is also protected by a strong password.
Why not allow Apps to not use passwords in this case?
In addition (for me) the app would be on my mobile, which is passcode protected (and fingerprint). Beyond that security you have full access to my email anyway, so what's any additional app password going to provide?
since you need the device (which you're presumably steeling) AND the passcode for it, does this make it 2FA? I think I've read Apple claim as much in a Data Protection document, but I wonder whether you can really count the device you're trying to log in TO as one of the Factors?
Wouldnt the unique identifier or Auth token be the password? Sure it is more convenient for the User not having to remember there password, but it is not necessarily more secure.
A friend of mine has been very passionate about the idea of getting rid of passwords and built a proof of concept version of this a few months ago [0]. He also gave a very good talk about it at a JavaScript meet up [1].
I like the idea. It's essentially SFA, Single Factor Authentication, opposed to MFA, but chose the "what you have" aka an email factor rather than "what you know" aka a password.
From a compliance standpoint (ignoring security feature), would this be allowed?
From a security standpoint, not sure this is any better/worse than social login or receiving an SMS. Most of the time you have all these portals (including email) already authenticated so it doesn't really make a difference which you use. The nicety is that you can basically track your logins through email which is pretty neat.
From a usability standpoint, I feel like an SMS would make more sense? I turn off push notifications for email because I receive too many, but I'd be able to read the number from the text and type it in right away (assuming that you'd use standard MFA tokens). Maybe the difference is more between using a 6-digit PIN instead of a link than the source it's received.
I've always thought waiting for a damn registration email was the worst part of the typical sign-up process. Not sure this saves much user frustration.
Drop the email field altogether and you might have something refreshing.
Yeah, it's assuming your email provider has very strong security. If you're using gmail, yahoo, ms or any reputable provider, it probably is pretty secure.
I agree that on a mobile device you should only have to log in once and be remembered forever (if someone compromises your phone, you have bigger issues), but I think that requiring a password (or OAuth, etc) on a non-mobile experience is a pretty good idea.
Although they say it is a "one time password" which is smart, email is still assumed to be not secure. Like for example, you wouldn't want to send your SSN through email because servers along the way can possibly sniff it. So, while it seems safe in most situations to do this, I feel that it probably isn't 100% safe but maybe good enough for most people.
What is the risk though? If someone did steal your one time link and get into the app could you somehow prevent them from continuing to access it? And what could they do in the app -- change your address and buy stuff on your credit card and send it to themselves? Feels like there is just some tiny level of risk here that probably wouldn't happen... but I wouldn't feel completely safe with this.
The way I see it, every single app that uses email for password resets (usually by emailing a link, sometimes a code) already relies on the security of email.
Even if you have the most secure password in the world, if an attacker compromises your email account, they can simply send a password reset email. It's the weakest link.
I havent followed too closely the state of secure email delivery, but I would guess that even today a huge percentage of people both send and receive email in clear text over easily intercepted links.
this option only makes sense if email delivery can be guaranteed to be secure, and the recipient has non-password-based (two factor) auth.
Well, currently almost all password resets work over email. If you can read my email, you can reset all passwords for my bank accounts, shopping site accounts, etc. this solution is no worse than others.
Well, bye bye users.
Greylisting is so common these days - emails don't arrive straight way. Who wants to wait 5 minutes (assuming your mailserver tries that often on a greylist) to login to an app?
Appreciate what they're trying to do, but I think this is a bad idea.
edit: As tootie points out, it would be possible to use a "whitelisted" company.
This can be mitigated by paying a mass mailing company that's on all the whitelists. Of course, the makes it sort of a racket, but at least it's an option.
I have a question. Why not SMS? Is it because sending an SMS globally is more of a hassle then sending email? Or that with email we assume the entire channel has some protection layer to it, where as in SMS the security is due to the fact that we're using an entirely different channel? Simply intercepting an SMS (if you actually manage to do that) won't be enough as you would also need the username. In the email approach, don't most places use your email as a username??
I am just talking generally, not specific to this app
To me, this just seems a little silly. I can't imagine how difficult it will be to maintain a persistent, user-friendly account with this method. An emailed link every time a user wants to log in? Just plain silly.
Passwords are still widely used, and for good reason. I partially accept your point of passwords not being very secure, but why not just spend some time implementing a 2FA login method, instead of this?
63 comments
[ 3.3 ms ] story [ 107 ms ] threadThat doesn't sound very safe. Does this use some form of OTP that's passed via a special URL that only works with the mobile app? If so that sounds better than what I'm thinking.
The article says that it's a one-time link, so I assume that means that the same link can't be used twice. If someone had access to my email, they'd have to use that link before me, which is a very small window of time (submitting the form in the app and then opening an email, ~15 seconds tops).
"Why do you need people's name and email? The above screenshot looks like an APP. You already have a way to reach them: in-app notifications. And why do you need their name until they purchase something?"
But ironically, the resulting page said "Please enter correct password. Spam free wordpress." LOL
As for name and email -- Shop It To Me is not just an app but also a website and email service and so we need a way to link them all together. If we did not have an email and the member lost their phone, they'd lose their account forever.
People have to opt-in to in-app notifications. If they press no intentionally or accidentally, recovery is far, far more difficult. Email is much easier and more controllable than notifications.
True, but not for the user. I would much rather accept notifications than type in my email address. I avoid the risk of getting spammed, don't need to decide what email to use, don't need to decide if I trust the developer. And with app notifications, the ability to unsubscribe is much more consistent and reliable.
Do we end up with a system that's of equal or higher safety?
Agreed that convenience is definitely up, since we have email clients built into everything.
That being said, for sites this that are more concerned with "verification" than "authentication" this seems like a viable approach.
Jesus. Seriously, there's one of these every two weeks. Guess what, secure login links via email have been used for.... a decade? Longer?
(Seriously, that's a question: Why don't more people use OpenID? Is there something wrong with it?)
http://openid.net/get-an-openid/what-is-openid/
Because the user is more likely to have email than OpenID, so delegating to an option of one or the other is more complex, and delegating to only the latter is limiting your market.
But yeah, I guess saying "now go to this 3rd party website and create an OpenID account" is pretty ugly. I wonder if it's possible to have your own "sign up" page that's a proxy for creating an OpenID with a 3rd party provider?
People are likely to remember their email if they have one, but URLs are disappearing from user interfaces (see Chrome, Safari, Mobile Safari, etc.).
A user probably already has email, thus it usually isn't required. Unlike openID
They do seem to moving towards OpenID Connect though, which is just a identity layer on top of OAuth 2.0
[0] https://www.mozilla.org/en-US/persona/
Issue 2: tech-phobic people don't trust OpenID, OAuth, etc. I'm working with a client who wanted "single sign on" with a tolerated competitor in the same space (nonprofit, don't ask); that competitor's tech guy advocated for OpenID, and OpenID became a hard requirement. The problem: the client's membership fought tooth and nail throughout alpha & beta rollouts (change is scary. are we giving google/yahoo our information? we don't understand it. we're not a bank, why do we need tighter authentication? etc) and it was eventually scrapped in favor of a traditional login.
Why not allow Apps to not use passwords in this case?
In addition (for me) the app would be on my mobile, which is passcode protected (and fingerprint). Beyond that security you have full access to my email anyway, so what's any additional app password going to provide?
since you need the device (which you're presumably steeling) AND the passcode for it, does this make it 2FA? I think I've read Apple claim as much in a Data Protection document, but I wonder whether you can really count the device you're trying to log in TO as one of the Factors?
[0] https://github.com/handshakejs [1] http://vimeo.com/90883185
From a compliance standpoint (ignoring security feature), would this be allowed?
From a security standpoint, not sure this is any better/worse than social login or receiving an SMS. Most of the time you have all these portals (including email) already authenticated so it doesn't really make a difference which you use. The nicety is that you can basically track your logins through email which is pretty neat.
From a usability standpoint, I feel like an SMS would make more sense? I turn off push notifications for email because I receive too many, but I'd be able to read the number from the text and type it in right away (assuming that you'd use standard MFA tokens). Maybe the difference is more between using a 6-digit PIN instead of a link than the source it's received.
Drop the email field altogether and you might have something refreshing.
I think my attention time out for this would be 30-45 seconds.
(I don't know about you, but I can't think of anything more distracting than my email inbox.)
I know it's not popular on HN, but we already have a simple method that removes passwords: OAuth.
What I learned from FtC is that people are so ingrained with the idea of passwords that single factor auth doesn't really fly.
What is the risk though? If someone did steal your one time link and get into the app could you somehow prevent them from continuing to access it? And what could they do in the app -- change your address and buy stuff on your credit card and send it to themselves? Feels like there is just some tiny level of risk here that probably wouldn't happen... but I wouldn't feel completely safe with this.
Even if you have the most secure password in the world, if an attacker compromises your email account, they can simply send a password reset email. It's the weakest link.
this option only makes sense if email delivery can be guaranteed to be secure, and the recipient has non-password-based (two factor) auth.
Appreciate what they're trying to do, but I think this is a bad idea.
edit: As tootie points out, it would be possible to use a "whitelisted" company.
I am just talking generally, not specific to this app
Passwords are still widely used, and for good reason. I partially accept your point of passwords not being very secure, but why not just spend some time implementing a 2FA login method, instead of this?