Hacker News new | ask | show | jobs
by 3pt14159 1098 days ago
Why do I need a password at all for 99.99% of apps or websites?

If I lose a password, what do I almost always have to do?

1. Email account recovery link.

2. Input auth code sent from text message or authenticator app. [Optional.]

3. Make new random password I'm going to forget or lose.

Why bother with this? If email is the reset mechanism why does the industry care so much about getting passwords from users?

1. Email sign-in link.

2. Input auth code. [Optional]

Everything other part of this whole chain gets simpler. No more password strength checking code. No multiple auth paths. No issues with anything. Just a single email with at most two links, one for browser sign in, one for app sign in.

If you really, really, really need to you can add one or two QR codes so these hypothetical people that don't have email on their phone can sign into the app.
2 comments
dolmen 1098 days ago
> Why bother with this? If email is the reset mechanism why does the industry care so much about getting passwords from users?

Because you may not have access to your e-mail from the device where you want to use that service.

For example, I don't need to have access to my e-mails from my tablet as I'm always reading/writing them on a computer with a keyboard. So I don't want to setup access to my e-mails from my tablet, as it reduces the risks of a bad app leaking them or leaking my credentials.

link
3pt14159 1098 days ago
I covered this in my comment with QR login codes.

Plus, if you really want to, you could also have a one-time use 6 digit code for login also sent in the email and it would be better for the majority of people that do not use a password manager.

Or if you really, really, really must have your passwords then please invert the default to where login via link is the primary mechanism and passwords are optional on a per-account basis.

link
P_I_Staker 1098 days ago
I think they do this in Europe. I believe that there is still loss of some security. With email only you could loss all your accounts.

So, while I mostly agree overall, especially with respect to silly little things that aren't likely to hurt anyone, I do think there's a compelling case for password and 2factor.

As it stands, you have to know something and have something. Making it so you only need to have something is better than making it so they only know something.

However, that second factor seems like a good idea; though I will admit that it's probably unlikely that a thief would have the motivation to crack your phone to get your email; is this even easily achievable?

link