Passwordless login (with magic link / code in email)

[rmarronnier]

Passwordless login is a divisive authentification approach (mostly UX wise) but it has its benefits (https://medium.com/findworkco/password-less-login-df0354c3f3ee and https://medium.com/findworkco/password-less-login-continued-9f61bfda0175).
I'm implementing it by expanding/abusing the email confirmation logic from https://github.com/stephendolan/lucky_jumpstart but it'd be great if there was a cleaner upstream implementation.
Is this something you would consider adding ?
Also, this login method is often complemented with social logins. I can open a separate issue if that enters the scope of Shield.

[akadusei]

No, not now.

I thought about it in the early days of Shield, but decided to postpone consideration. There's not a lot of open research on passwordless at the moment.

The implementations I've read about seems to rely on sending tokens via email. Essentially, it's a single factor authentication using emailed tokens instead of passwords.

Email security is unreliable, so using it once in a while (eg: in password resets) may be acceptable. Relying on it regularly (eg: for logins) is questionable risky.

I may have skimmed through a paper (probably by Microsoft), that talks passwordless using public key crypto. This has worked for SSH for a long time; I guess the web is a different ball game.

Passwords must go at some point. But I think we need more extensive and conclusive research on alternatives.

[rmarronnier]

Thanks for your detailed answer.

The implementations I've read about seems to rely on sending tokens via email. Essentially, it's a single factor authentication using emailed tokens instead of passwords.

Yes, I'm putting aside non-email based solutions (biometrics / hardware crypto / sms / ...).

Email security is unreliable, so using it once in a while (eg: in password resets) may be acceptable. Relying on it regularly (eg: for logins) is questionable risky.

The gist of my choice in going with email magic links is in fact considering that password resets are magic links (some lazy/smart? people were using these as such before the advent of password managers). With password resets, the password or the email account can be compromised to have illegitimate access to your app. Without passwords, only the email account has to be compromised. I'm just putting the burden of security authentification in the hands of the email provider alone.

Passwords must go at some point. But I think we need more extensive and conclusive research on alternatives.

I'll let the security experts chime in :-)