DEV Community

loading...

[Dev Discussion] Passwordless login?

diiaablo95 profile image Antonio ・1 min read

Hello guys! Just a question that popped out of my mind. If hackers usually target email/passwords that would grant them access to a specific service, why not use email + a short-lived credential like a OTP (e.g., the ones generated by an authenticator app)? Wouldn't that be far more secure since the window of attack is considerably reduced? I know that probably that would suck from a usability point of view.

Discussion (8)

pic
Editor guide
Collapse
rhymes profile image
rhymes

Notion does this, they send you a OTP via email.

The issue with that is that if your email is ever compromised, Notion will be too.

I'd rather have a password and 2FA or as DEV does, delegate security to an OAuth provider.

Collapse
highcenburg profile image
Vicente G. Reyes

Dev does this with Twitter and GitHub which makes it easier for devs to not think about a password.

Collapse
diiaablo95 profile image
Antonio Author

Yes I know that, and indeed it sounds amazing. But then the matter is shifted onto GitHub and Twitter, which do require passwords.

Collapse
highcenburg profile image
Vicente G. Reyes

I agree. But there will still be a root to an account which requires a password, hence in my opinion won't be possible.

Thread Thread
diiaablo95 profile image
Antonio Author

Why does it have to be like that? Why a password at all? Authenticator can offer a similar service.

Thread Thread
highcenburg profile image
Vicente G. Reyes

It all started in the Ancient Times where you should check this link on Wikipedia about it. lol

Collapse
yzhernand profile image
Yozen Hernandez

I've been eager to see places adopt SQRL. It looks pretty cool and is designed to solve this kind of problem.

Collapse
diiaablo95 profile image
Antonio Author

This sounds dope!