loading...

[Dev Discussion] Passwordless login?

diiaablo95 profile image Antonio ・1 min read

Hello guys! Just a question that popped out of my mind. If hackers usually target email/passwords that would grant them access to a specific service, why not use email + a short-lived credential like a OTP (e.g., the ones generated by an authenticator app)? Wouldn't that be far more secure since the window of attack is considerably reduced? I know that probably that would suck from a usability point of view.

Discussion

markdown guide
 

Notion does this, they send you a OTP via email.

The issue with that is that if your email is ever compromised, Notion will be too.

I'd rather have a password and 2FA or as DEV does, delegate security to an OAuth provider.

 

Dev does this with Twitter and GitHub which makes it easier for devs to not think about a password.

 

Yes I know that, and indeed it sounds amazing. But then the matter is shifted onto GitHub and Twitter, which do require passwords.

 

I agree. But there will still be a root to an account which requires a password, hence in my opinion won't be possible.

Why does it have to be like that? Why a password at all? Authenticator can offer a similar service.

It all started in the Ancient Times where you should check this link on Wikipedia about it. lol

 

I've been eager to see places adopt SQRL. It looks pretty cool and is designed to solve this kind of problem.