[Rant] The case against password-less authentication

First of all, I fully understand the rationale behind the team’s decision to go password-less for the beta, and I don’t expect anything to change because of this post. Nevertheless, I’d like to express my displeasure with the increasingly popular password-less authentication. Please feel free to ignore, disagree, or comment. I could be totally wrong, or just a loud minority :man_shrugging:

Password-less is not more secure

Password-less !== secret-less. Even though password-less authentication eliminates the entering and storing of passwords, it still relies on a secret being emailed around to authenticate the user—the sign-in link.

Sure, it expires after 15 minutes. But anyone who gets a hold of that link before it expires basically has full access to the user’s account. And emails are completely insecure by default. Here is one scenario where things can go wrong:

Hacker Alice is casually capturing packets using Wireshark in a cafe’s open Wi-Fi network. Camper Bob also joins the network and requests a sign-in link from freeCodeCamp. He has recently claimed his frontend certificate and is going to a job interview in an hour. Unbeknownst to him, his ISP-provided webmail is unencrypted. So his email credentials along with freeCodeCamp sign-in link are all transmitted in plaintext. While Bob is busy Googling interview strategies, Alice notices her “catch”. Just for kicks, she visits Bob’s freeCodeCamp sign-in link before he can, and deletes his entire account.

OK, there are a lot of if’s for something like this to happen, but you know what Murphy’s Law says…

Password-less does not solve the account duplication issue

Simply put, what if the user has multiple email addresses and forgets which one was used to sign up? This actually happened to me.

When Medium first came out, I signed up for an account, played around with it, and then forgot about it. Later, freeCodeCamp adopted Medium as the publishing platform of choice. Remembering my Medium account, I attempted to sign back in.

I tried all three of my frequently used email addresses (I have accumulated over a dozen of those over the years), but each time Medium created a new account for me. Frustrated, I signed in using Twitter OAuth instead. To this day, I am still unable to recover my preferred Medium username (Leon Feng – Medium).

Password-less is a PITA for users of password managers

I use LastPass to manage my passwords. Typically, LastPass will prompt me to save a new site right after I create a new account. With password-less, I get no prompt because there is no password field.

The password-less authentication flow is also extremely slow in comparison. With password-ful websites, even if you disable autofill, it’s usually one or two clicks and you’re in. No need to fire up your email client or another browser tab (both are slow if you have an old laptop like me).

End of rant. Just to reiterate, I understand the issues with password-ful authentication and OAuth. I just don’t think password-less à la Medium solves any of those issues.

There is, however, a different password-less and secret-less authentication method called SQRL. It has been under active development for a few years now and is almost ready for prime time. Maybe it’s of interest to the freeCodeCamp team?

My apologies if this has been brought up before. I didn’t find a similar discussion anywhere. Peace~

3 Likes

Here is @QuincyLarson’s article about going password-less: 360 million reasons to destroy all passwords.

Naturally you’re not required to agree with all the reasoning.

Going password-less was not (to my knowledge) an effort to address the account duplication. Just to add some clarity, the account duplication that users experienced was due to supporting multiple OAuth methods. In this case, users would create duplicate accounts by attempting to sign in with a different method but since both were connected to the same email address, they believed that their accounts had been deleted. Not being able to remember which email address someone signed up with is not related to the password-less login one way or the other.

I also use password managers, but I don’t really see a big problem here. Free Code Camp will require you to authenticate every time that you sign in with a new device. Unless you are frequently using new devices or purging your browser’s local storage, you should be fine. Your password manager can still help you remember what email address you signed up with.

1 Like

Hi @leonfeng, because virtually every service uses email-based password reset, passwords are essentially meaningless. They add a ton of vulnerability (passwords can be guessed or cracked) without adding any real security.

Even if you have the best password on earth, there will still be an email recovery option, so all of those issues with SMTP mentioned in the article don’t seem to be relevant here.

Your packet capturing situation is relevant, and having to use email auth to sign in to a new device marginally increases the likelihood of interception. A majority of people use either Gmail or an Apple mail app, both of which encrypt emails in transit. The “at rest” risk would imply either you’ve compromised the mail server or you’re a government powerful enough to force companies to hand over your email.

So balance that tiny increase against risk against the massive risk associated with people using bad passwords, and I think you’ll agree that passwordless is much safer.

Regarding your password manager argument, I use a password manager and it’s a pain on mobile. I have to use my password to sign into it, then copy/paste the password into the form. This takes around a minute. I think getting a one-time email to authenticate the device would be much faster for me.

The only situation where I think passwordless would be considerably slower would be if you always clear your sessions or always surf incognito, which would mean you’d have to reauthenticate every time you visited freeCodeCamp.org.

Passwordless won’t by itself address account duplication. We “solved” that when we restricted signups to just email addresses (as opposed to social auth). I say “solved” in quotation marks because we aren’t getting any new instances of account duplication, but there are a ton in the system and some day we’ll need to figure out a way to merge them.

The reason we’re moving to Passwordless is for convenience (for the 99% of people who don’t use password managers) and for security.

There will be situations where accounts are “orphaned” and the email address associated with them is no longer available.

I suspect we’ll just have to handle those situations on a case-by-case basis.

There’s no way to know how many people will have this issue. I already get a few emails a week from people who want to reset their password, but can’t access the email address their account is associated with. So I imagine we’ll get some multiple of that.

Thank you all for your thoughtful replies to my ranting. My eyes are opened :slight_smile:

I was originally going to suggest two-factor authentication, but it makes life even more complicated. And since all passwords have been purged from production, I guess 2FA is out of the question.

And yes, it’s not that hard to manually add an entry for a passwordless website in LastPass. I was just too used to the Save New Site prompt to remember to do so. Now that I’ve learned my lessons, I should be able to avoid ever forgetting my sign-up email address again.

@QuincyLarson glad to hear that there’s no more account duplication. This proves I’m living in my own bubble. As long as the majority of users are happy I’m all good~

1 Like

This community really is a magical corner of the internet where people passionately assert opposing views and it ends with everyone saying “Thanks for your thoughtful response.” :rainbow: :unicorn: :mage: :star2:

5 Likes

One scenario not mentioned is losing your smartphone. Most people use email on their smartphone. Email access does not require a password once the account has been set up - that is convenient, but also a serious security flaw. The only barrier to entry is the smartphone’s passcode. In other words, if someone steals your smartphone and it isn’t locked (i.e. within, say 5 minutes of having used it which is a normal timeframe before the phone locks), the phone thief can use your email accounts to access email-authenticated accounts. I guess the lesson here is to have a short auto-lock on your smartphone. The fingerprint feature is a big win since you can have it lock as soon as it’s turned off and not be annoyed with having to deal with frequent passcode access.

2 Likes

That’s just as much of a problem with password-based authentication, though. It only takes a couple of clicks to issue a password reset, which then gets sent to that same email account.

The difference is that the password-based authentication has an additional security flaw, namely that any leaked passwords often give access to accounts on other services (as people use the same password across multiple sites). And the consequences of that would be much more severe than losing your fCC progress.

2 Likes

Use quantum encryption.

Not really sure what it is, but I have heard of people saying it’s a good way.

Definitely not a fan of the password-less authentication. :frowning:

1 Like

[redacted because people will think I speak for FCC instead of for myself]

I requested OTP. The mail with the OTP didn’t appear in my mail box right away. it might be a connection issue. By the time, it had appeared, the OTP had expired!.:no_mouth:.

My opinion: Involving email is bit of an overhead. Creating an account,resetting a password are not frequent occurrences and email issues can be tolerated. But ‘Log In’ is very frequent.
I just hope there is a better way!

I believe that you can now log in something like 6 different ways.

1 Like

** Improvement #9: Enhanced security with passwordless sign-in**

Passwords are a pain to remember. And they’re also a huge security risk. More and more websites are getting rid of passwords completely. And freeCodeCamp is one of them.

Now when you sign in, we’ll email you a link you can click that will immediately sign you in to freeCodeCamp.

It is not a link you can click. It is copy/pasting shortcode. I have unique passwords on all sites. I have never linked other sites so I can sign in via other social media or even github i.e. federated methods

These comments need some clarification:
“gmail” app to “gmail” server may be secure but every mail relay hop must be secure for this to be secure communication. Yes it is true A subset of email is secure email (if the mail provider is doing that) within a mail provider (Intra) domain like gmail to gmail, or apple to apple sender and receiver. The transfer from freecodecamp mail server to gmail/apple/whatever server MAY NOT be secured with encryption. As already mentioned if you use another mail domain there is no guarantee all the mail hops exchange encrypted traffic. Inter domain email eg example.com to gmail.com MAY NOT be secured. Email is not secure ALL the time.

HTTPS is for secure message/password exchange. This passwordless implementation is not secure ALL the time. Your passwordless login method is not secure for everyone. This is less security not “Enhanced Security” when compared to a site supporting traditional email/passwords and using the best practice security.

Federated logins can reduce your privacy, so I would not use them. That is a personal choice and a risk I chose not to take with federated Identity.

1 Like

Im guessing that you didn’t bother to read the full thread or check the available login methods. In the 9 months since this conversation FCC now supports several methods of logging in. These include, but are not limited to, passwordless authentication.

@SunRay, what do you think about creating a pseudonymous GitHub account and using a different browser from your other GitHub accounts to sign into fCC? Or using TOR? That way, you can have the login security that GitHub provides with minimal impacts to privacy.

Or, what about creating a new email account solely for fCC?

I do agree that in the case of fCC, password-less login can create privacy and security issues for users who don’t trust email, Google, or Facebook.

Would adding an option for two-factor authentication help?

In thinking about what an attacker might do after gaining access to one’s fCC account, would having the option to import/export one’s account help?

Assuming that these changes are not implemented, we’re left with current login options, and you don’t like my suggestions, can you suggest some ways that users can make the fCC login process more secure?

yes these are other options your first suggestions are more complex and difficult options in my opinion. Here is my point “passwordless login” AND sending codes over email is an insecure channel (see my earlier explanation), so that is not better than traditional login/password. Promoting the current fCC “passwordless login” as better than traditional login/password is simply wrong. How many banks use “passwordless login” surely that should tell you something important. Therefore login/password + best security practices + regular security checks needs to be an option.

Ok if people are fine with “passwordless login”, just acknowledge it currently cannot be called secure, and that’s your choice but how about giving me the of choice of login/password which is secure. Nothing is 100% secure but the current “passwordless login” is in my opinion fake security.

On the subject of “import/export” feature considering EU General Data Protection Regulation (GDPR) you will need that regardless of this topic - passwordless login vs login/password discussion.

On the subject of supporting an authenticator app (and I do not mean a sms text 2FA) option that is good. Replacing emails with, for example, Microsoft Authenticator app, would make it better than just a login/password solution.