8 responses

  1. Anders wrote on :

    The main problem is not the password. it is that webmaker requires an account a all. Why would I need an account for “a web that’s open”? It seems not to benefit the user, but only the webmaker creators (for statistics, conversions, tracking, spamming, false sense of security) and hurting the mission (since the snippet experiment clearly showed that users like getting started right away and are turned away by sign-up forms). If the user later wants to save some sort of progress, use bookmarkable urls and teach them about those, it will benefit them on other sites (e.g. google maps and jsbin), and you could also allow the user to mail the link to themselves.
    The current site shows a signup button front and center before any benefit the user have been demonstrated or described.
    For password-less signups see e.g. doodle.com and the comment form on many blogs.

  2. Scott Motte wrote on :

    Love that you guys are doing this. I want to see more developers doing so. I’m actively opensourcing an approach for developers called Handshake.js [1]
    [1] https://github.com/handshakejs
    [2] https://vimeo.com/90883185

  3. Sitaram Chamarty wrote on :

    Nice, I especially like the temp key that can be hand copied to a different computer. I also appreciate your (direct and linked) digs at OAuth. I never did like that scheme — far too complex for what most people normally use it for.
    Could you please put in a few warnings that your primary email must be really, really, secure? You’re advocating a scheme that beats all known password managers in the “all eggs in one basket” sense, if — as I am assuming — most people’s email is really webmail. How secure is your *email* password? Do you stay logged on to the webmail while browsing other sites? Do you access it on a mobile that stays logged on? All of these activities are scary as hell; there are so many web based attacks on cookies, XSS, frame or tab grabbing, phishing, and so on.
    I would also NOT recommend this for bank, credit card, and such passwords. That’s *SERIOUS*, and it deserves a strong password. (It’s OK to write down a couple of hints/reminders of that password on a piece of paper in your wallet if needed. After all, most of the danger for passwords today is remote.)

  4. Anil wrote on :

    The problem which you were solving I also encounter many times however, I wonder, what happens if some one hacks my email then he can access everything though you have another option to integrate too i.e. text message. I don’t know how secure it’ll be. This is just came in mind while reading the solution. I hope, you guys have think it in a broad level and have better idea to deal with such situations.

  5. 27escape wrote on :

    This is a great solution, however its not perfect.
    Here is an example from real life.
    I was in Madagascar and my phone was not working. I needed to send an email to friends/family to let them know I was OK. If my email provider would only login to their service using this system then I would not be able to login, as they would not be able to send me an email or an SMS, i would have to use a normal password.
    This system or a two factor scheme promoted by others does depend on the presence of another route, if that route is not available, then it has to fall back onto the old method, which will continue to be vulnerable.

  6. Stefan wrote on :

    Can you wrap the one-time login email URLS with Virtru.com?

  7. Nitor wrote on :

    Basically, this is shifting the burden of authenticating users from the people providing the service to the people who provide the specific E-mail service the end-user is utilizing. Props. No need to have a hashed and salted database yourself, let’s just make the competitors store that information for us so we can use it. Smooth.

  8. Daniel Gaviria wrote on :

    YES! Other designers and developers, please use and push this concept.
    I hope the news gets a hold of this implementation and advocates it, they should given all the attention they gave to recent “password hacks” and online account security.