[Rant] The case against password-less authentication

[Rant] The case against password-less authentication
0.0 0

#1

First of all, I fully understand the rationale behind the team’s decision to go password-less for the beta, and I don’t expect anything to change because of this post. Nevertheless, I’d like to express my displeasure with the increasingly popular password-less authentication. Please feel free to ignore, disagree, or comment. I could be totally wrong, or just a loud minority :man_shrugging:

Password-less is not more secure

Password-less !== secret-less. Even though password-less authentication eliminates the entering and storing of passwords, it still relies on a secret being emailed around to authenticate the user—the sign-in link.

Sure, it expires after 15 minutes. But anyone who gets a hold of that link before it expires basically has full access to the user’s account. And emails are completely insecure by default. Here is one scenario where things can go wrong:

Hacker Alice is casually capturing packets using Wireshark in a cafe’s open Wi-Fi network. Camper Bob also joins the network and requests a sign-in link from freeCodeCamp. He has recently claimed his frontend certificate and is going to a job interview in an hour. Unbeknownst to him, his ISP-provided webmail is unencrypted. So his email credentials along with freeCodeCamp sign-in link are all transmitted in plaintext. While Bob is busy Googling interview strategies, Alice notices her “catch”. Just for kicks, she visits Bob’s freeCodeCamp sign-in link before he can, and deletes his entire account.

OK, there are a lot of if’s for something like this to happen, but you know what Murphy’s Law says…

Password-less does not solve the account duplication issue

Simply put, what if the user has multiple email addresses and forgets which one was used to sign up? This actually happened to me.

When Medium first came out, I signed up for an account, played around with it, and then forgot about it. Later, freeCodeCamp adopted Medium as the publishing platform of choice. Remembering my Medium account, I attempted to sign back in.

I tried all three of my frequently used email addresses (I have accumulated over a dozen of those over the years), but each time Medium created a new account for me. Frustrated, I signed in using Twitter OAuth instead. To this day, I am still unable to recover my preferred Medium username (https://medium.com/@leonfeng).

Password-less is a PITA for users of password managers

I use LastPass to manage my passwords. Typically, LastPass will prompt me to save a new site right after I create a new account. With password-less, I get no prompt because there is no password field.

The password-less authentication flow is also extremely slow in comparison. With password-ful websites, even if you disable autofill, it’s usually one or two clicks and you’re in. No need to fire up your email client or another browser tab (both are slow if you have an old laptop like me).

End of rant. Just to reiterate, I understand the issues with password-ful authentication and OAuth. I just don’t think password-less à la Medium solves any of those issues.

There is, however, a different password-less and secret-less authentication method called SQRL. It has been under active development for a few years now and is almost ready for prime time. Maybe it’s of interest to the freeCodeCamp team?

My apologies if this has been brought up before. I didn’t find a similar discussion anywhere. Peace~


#2

Here is @QuincyLarson’s article about going password-less: 360 million reasons to destroy all passwords.

Naturally you’re not required to agree with all the reasoning.

Going password-less was not (to my knowledge) an effort to address the account duplication. Just to add some clarity, the account duplication that users experienced was due to supporting multiple OAuth methods. In this case, users would create duplicate accounts by attempting to sign in with a different method but since both were connected to the same email address, they believed that their accounts had been deleted. Not being able to remember which email address someone signed up with is not related to the password-less login one way or the other.

I also use password managers, but I don’t really see a big problem here. Free Code Camp will require you to authenticate every time that you sign in with a new device. Unless you are frequently using new devices or purging your browser’s local storage, you should be fine. Your password manager can still help you remember what email address you signed up with.


#3

The only issue I see with password-less authentication is if an email you use to control is no longer yours. This has actually happened to me. At one point I owned over 25 domains and had various email addresses associated with many of them. As time went on I started to not renew the domains and each time had to remember where all I had use the old email address and log into an app/website to update to a new email address.

If I had signed up for an account on a website who used to use normal authentication methods and then no longer had access to my old email address, because I let that domain expire, I run into trouble when I go to sign in with a password-less email authentication, because an email gets sent to an account that I no longer own. If someone were to have bought my old domain and added a catch-all email address for the domain, this other person would now have access to my account.

As long as there is a way to have an admin manually update my account to a new email address, then there is no issue. Many times, there is no such ability, because most systems are automated.


#4

Hi @leonfeng, because virtually every service uses email-based password reset, passwords are essentially meaningless. They add a ton of vulnerability (passwords can be guessed or cracked) without adding any real security.

Even if you have the best password on earth, there will still be an email recovery option, so all of those issues with SMTP mentioned in the article don’t seem to be relevant here.

Your packet capturing situation is relevant, and having to use email auth to sign in to a new device marginally increases the likelihood of interception. A majority of people use either Gmail or an Apple mail app, both of which encrypt emails in transit. The “at rest” risk would imply either you’ve compromised the mail server or you’re a government powerful enough to force companies to hand over your email.

So balance that tiny increase against risk against the massive risk associated with people using bad passwords, and I think you’ll agree that passwordless is much safer.

Regarding your password manager argument, I use a password manager and it’s a pain on mobile. I have to use my password to sign into it, then copy/paste the password into the form. This takes around a minute. I think getting a one-time email to authenticate the device would be much faster for me.

The only situation where I think passwordless would be considerably slower would be if you always clear your sessions or always surf incognito, which would mean you’d have to reauthenticate every time you visited freeCodeCamp.org.


Lost My Solution Answer
Lost completed task after update
#5

Passwordless won’t by itself address account duplication. We “solved” that when we restricted signups to just email addresses (as opposed to social auth). I say “solved” in quotation marks because we aren’t getting any new instances of account duplication, but there are a ton in the system and some day we’ll need to figure out a way to merge them.

The reason we’re moving to Passwordless is for convenience (for the 99% of people who don’t use password managers) and for security.


#6

There will be situations where accounts are “orphaned” and the email address associated with them is no longer available.

I suspect we’ll just have to handle those situations on a case-by-case basis.

There’s no way to know how many people will have this issue. I already get a few emails a week from people who want to reset their password, but can’t access the email address their account is associated with. So I imagine we’ll get some multiple of that.


#7

Thank you all for your thoughtful replies to my ranting. My eyes are opened :slight_smile:

I was originally going to suggest two-factor authentication, but it makes life even more complicated. And since all passwords have been purged from production, I guess 2FA is out of the question.

And yes, it’s not that hard to manually add an entry for a passwordless website in LastPass. I was just too used to the Save New Site prompt to remember to do so. Now that I’ve learned my lessons, I should be able to avoid ever forgetting my sign-up email address again.

@QuincyLarson glad to hear that there’s no more account duplication. This proves I’m living in my own bubble. As long as the majority of users are happy I’m all good~


#8

This community really is a magical corner of the internet where people passionately assert opposing views and it ends with everyone saying “Thanks for your thoughtful response.” :rainbow: :unicorn: :mage: :star2:


#9

One scenario not mentioned is losing your smartphone. Most people use email on their smartphone. Email access does not require a password once the account has been set up - that is convenient, but also a serious security flaw. The only barrier to entry is the smartphone’s passcode. In other words, if someone steals your smartphone and it isn’t locked (i.e. within, say 5 minutes of having used it which is a normal timeframe before the phone locks), the phone thief can use your email accounts to access email-authenticated accounts. I guess the lesson here is to have a short auto-lock on your smartphone. The fingerprint feature is a big win since you can have it lock as soon as it’s turned off and not be annoyed with having to deal with frequent passcode access.


#10

That’s just as much of a problem with password-based authentication, though. It only takes a couple of clicks to issue a password reset, which then gets sent to that same email account.

The difference is that the password-based authentication has an additional security flaw, namely that any leaked passwords often give access to accounts on other services (as people use the same password across multiple sites). And the consequences of that would be much more severe than losing your fCC progress.


#11

Use quantum encryption.

Not really sure what it is, but I have heard of people saying it’s a good way.


#12

Definitely not a fan of the password-less authentication. :frowning:


#13

[redacted because people will think I speak for FCC instead of for myself]