We at WhoAPI are almost done with the MVP version of the service. The API works but the website with client administration is still due.
I was thinking about creating something completely new for users to log in to the service. A passwordless login!
Let me explain:
Facebook & Google use dual authorization for maximum security (opt-in feature). For example, you open the facebook on your new computer, click log in and wait for the SMS with temporary password to arrive, you enter the pwd and you’re in for good on that particular computer/browser.
What if all websites work like this but only with the temporary password for one time log in. So imagine, you come to our service like whoapi.com, you enter the email and click the log in button; password comes to your email/sms (depends how you setup your account), you enter the password and voila, it works, without a password to remember. Every time you come back, session stays alive. If you’re on a computer you don’t own, just Log out and the authorization for that computer/browser gets deleted.
Why do we trouble our self with remembering long, strange passwords we are forced to create? For example, password must include: at least one big letter, at least one number and be 8 to X characters long. Come on, that sucks! I developed a technique of my own to have different passwords on all the websites but in a way to remember it easily. That’s good but that one more website that forces me to enter a non-alphanumeric sign changes everything, again! I know, you can use Roboform, 1Password or similar tools, but I don’t want to use any tools on any device!
Breakthrough for security when passwords leak! I was just reading how EA Origin Accounts got Hacked, and they now advice all the users to change their passwords. This is bad! If they had a system like this one, they (EA in this example) would just deauthorize all computers without bothering their users about it.
As the subject says, what do you think about logging in to websites without a password at all?
P.S. password can be an optional “thing” :)
First of all I think this should be left for later stage.
Regarding the idea itself, I think it’s fantastic. I can even addon to that. For example, you just enter you mobile number, and we use Twilio or TelAPI to send the pin number for logging in. It expires in few minutes, user can login quickly, doesn’t have to remember anything, max security, no captcha needed, etc.
If you are being targeted … ill just lift your phone ( reset it if it has a pesky pin ) and then proceed to jump into all of your sites without having to track down all those long annoying passwords you may have forgotten … no system is full proof.
If I find my phone or mail account stolen, then I guess nothing can stop the thief to access all the accounts. But then again, this method is more secure than the basic password storing in the local db. I don’t like when every now and than some service gets hacked and they force me to update my password, they break my own system of remembering passwords. I know, It’s about my own habits. :)