[cpburns2009]

Why would I want to go through the hassle of requesting a new non-password to be sent to my email, wait to receive my non-password, and then log in using that non-password every single time I want to log in? I will happily let my web-browser remember my password, or store it in a password manager if it needs to be secured.

[lewisl9029]

Square Cash is the most prominent example I know of for an email-based passwordless login system, and I personally really like it.

> then log in using that non-password every single time I want to log in?

The key piece of UX in these systems is you don't make the user do this every time, but rather only when logging in on new devices, and after a reasonable expiration date, say 30 days.

For the average HN user, this might not be much of an improvement in terms of security or UX compared to a regular password system when used with a good password manager. The average internet user is and always will be much less sophisticated, however, and is someone who can manage to regularly forget even their really crappy passwords (if they use more than 1 password to begin with).

For the average user, I think this system improves both UX and security by a large degree because for UX, it removes the need to remember more than 1 password (the password to your email serves as your master password), and for security, it verifies identity using the ability to access an email and a device (browser) rather than the mere knowledge of an email and a password.

[cpburns2009]

This simply sounds like a forced password reset scheme which I don't see the benefit of. Standard passwords can accomplish exactly the same thing with the added advantage of allowing instant log-in if you remember your password.

[kkirsche]

Certificates are used but can be a hassle cross platform. Email is insecure so I don't love that idea. Emails are plaintext moving around the internet and can be snooped on (doesn't mean they are but much easier than a TLS client to server connection