First of all, I fully understand the rationale behind the team’s decision to go password-less for the beta, and I don’t expect anything to change because of this post. Nevertheless, I’d like to express my displeasure with the increasingly popular password-less authentication. Please feel free to ignore, disagree, or comment. I could be totally wrong, or just a loud minority
Password-less is not more secure
Password-less !== secret-less. Even though password-less authentication eliminates the entering and storing of passwords, it still relies on a secret being emailed around to authenticate the user—the sign-in link.
Sure, it expires after 15 minutes. But anyone who gets a hold of that link before it expires basically has full access to the user’s account. And emails are completely insecure by default. Here is one scenario where things can go wrong:
Hacker Alice is casually capturing packets using Wireshark in a cafe’s open Wi-Fi network. Camper Bob also joins the network and requests a sign-in link from freeCodeCamp. He has recently claimed his frontend certificate and is going to a job interview in an hour. Unbeknownst to him, his ISP-provided webmail is unencrypted. So his email credentials along with freeCodeCamp sign-in link are all transmitted in plaintext. While Bob is busy Googling interview strategies, Alice notices her “catch”. Just for kicks, she visits Bob’s freeCodeCamp sign-in link before he can, and deletes his entire account.
OK, there are a lot of if’s for something like this to happen, but you know what Murphy’s Law says…
Password-less does not solve the account duplication issue
Simply put, what if the user has multiple email addresses and forgets which one was used to sign up? This actually happened to me.
When Medium first came out, I signed up for an account, played around with it, and then forgot about it. Later, freeCodeCamp adopted Medium as the publishing platform of choice. Remembering my Medium account, I attempted to sign back in.
I tried all three of my frequently used email addresses (I have accumulated over a dozen of those over the years), but each time Medium created a new account for me. Frustrated, I signed in using Twitter OAuth instead. To this day, I am still unable to recover my preferred Medium username (https://medium.com/@leonfeng).
Password-less is a PITA for users of password managers
I use LastPass to manage my passwords. Typically, LastPass will prompt me to save a new site right after I create a new account. With password-less, I get no prompt because there is no password field.
The password-less authentication flow is also extremely slow in comparison. With password-ful websites, even if you disable autofill, it’s usually one or two clicks and you’re in. No need to fire up your email client or another browser tab (both are slow if you have an old laptop like me).
End of rant. Just to reiterate, I understand the issues with password-ful authentication and OAuth. I just don’t think password-less à la Medium solves any of those issues.
There is, however, a different password-less and secret-less authentication method called SQRL. It has been under active development for a few years now and is almost ready for prime time. Maybe it’s of interest to the freeCodeCamp team?
My apologies if this has been brought up before. I didn’t find a similar discussion anywhere. Peace~