Login without password most secure | Wait.. what?

(Available as freelancer)

Joris Snoek

Business Consultant
/ Drupal Developer

Never having to remember your Drupal passwords again, how great would that be? It appears the working without passwords even is the most secure option. But how is that possible?

Lately I have been experimenting with Medium: a great blog platform with built in social functionalities. We might have even migrated our blog, because I was reading a lot of positive stories about it. Eventually we decided against migrating.

Anyway, that wasn’t the subject for this blog. What I noticed about Medium: you can’t manage a password anywhere. Logging in and registering via email goes as follows:

I recognise this from all Drupal systems we are managing: for security reasons we never register any of their passwords. So when we log in, we are never doing this through a password, but with a one-time login-link, just like Medium.

You will remain logged in for a few days, and as long as you remain active, you won’t have to ask for the login link every time.

Wake up

I told this to several people and their first reaction usually is: huh? But what if someone has access to your email? This allows that person to login? Wake up: if someone has hacked your email, he can log in to anything. Into all your accounts and into all your systems. Because all internet services work with a ‘forgot password’ function which sends a one-time login-link to your email, allowing you to change your password.

Authentication: serious business

All internet platforms want to make their login process as secure and as simple as possible, from all devices imaginable. But they are hard to remember, sometimes guessable and a lot of people re-use the same (even though they shouldn’t). They are also hard to type in on your smartphone, especially if you are required to use special characters – it’s so annoying to type those!

Wake up 2: without passwords it’s more secure

It goes against your gut feeling, but a system without passwords is more secure than one with passwords. As soon as someone hacks your password, that someone has access to said website until you change your password, usually never. It could be that you never notice that you were hacked and someone gained access to your account.

If you use an email-only-system, the following points should be taken into account:

• Have the login-link expire quickly: after 15 minutes already.
• Make sure the login-link can only be used once.
• Send a notification email if someone tries to log in from an unusual position (browser or physically).

Drupal can facilitate all of those.

Shifting security

If your website works without passwords, it means that you are shifting the security aspect to the email provider and it may look like you are an easy breeder. But security at email providers should be high top utmost priority number one anyway.

Your website login is as secure as the users’ email provider.

Getting new users easier

Another marketing advantage: at email only login, registration is as easy as logging in itself. This lowers the threshold to start; not having to come up with a username and password anymore.

Password frustrations

By working without passwords you will also get rid of the following frustrations:

• Entering it on a smartphone: ever tried to type in a password on a smartphone? Especially with special characters…simply hell!
• Brute force attacks: mature systems are protected against brute force attacks with the help of ‘flood control’, which prevents you from logging in after 5 attempts. Necessary to keep everything secure, yet annoying for users, because they have to wait for a while before they can log in once again. It’s just waiting to receive helpdesk calls.
• Password strength meters: these are being used to make sure that people pick strong passwords. But in reality very little users understand them, and are ignored by many.

Two factor authentication

Another good extra function for logging in is the use of Two Factor Authentication. This is an extra security measure, and the two factors are: “something you know” (a password) and “something you have” (usually a smartphone). But it seems that many users won’t enable this on supporting platforms.
It is advisable to protect the login of your email with two factor authentication anyway because

Hacked email = hacker has access to all your systems by one-time-login-link.

Hacked website? No problem

At least.. not in the password context: if you have an email-only login system, it means that no passwords will be saved on the hacked database, and no user passwords are to be found. ¯_(ツ)_/¯

Because many people use one password for all their accounts, if the database contains passwords, a hacker will gain access to a lot places.

A mature website’s database has encrypted and salted passwords, but smart robots will eventually always be able to uncover passwords anyway.

Wrap up

Right, first I’m going to change my email password and enable two-factor authentication. I can’t find any reason anymore to work with passwords on the internet. Just optimally secure your email all the time and go.

Or am I missing something here?