For Webmaker\u2019s platform, we designed a different experience for log in. New visitors can join simply by entering their email address and choosing a username. They can immediately explore Webmaker and use the tools, confirming their account later. We started this work like we start most projects, by asking obvious questions. Why do we log in to sites? What do passwords do for us? We found that people log in for two primary reasons: to identify themselves\u00a0and to keep other people and spambots out of their accounts. A password is a portable way to uniquely and secretly say, \u201cHello website, this is really me.\u201d Passwords can do this, but they are not the only way to identify ourselves and prevent other people from pretending to be us.<\/p>\n One day Kavita created an account for a new site, knowing she probably wouldn\u2019t return for months. When asked for a password, she mashed her keyboard like a cat playing a piano. A friend next to her stared and stuttered, \u201cBut, how will you get back in?\u201d She replied, \u201cI\u2019ll just reset the password like I do for every other site that I use only a few times a year.\u201d<\/p><\/blockquote>\n Is this secure? The system\u00a0rearranges existing technology and experiences to help us avoid the weakest links in our security: weak passwords, vulnerable password storage, and passwords that somebody repeatedly uses on many sites. It is more secure than the most commonly used current solution. Many efforts to make the web more secure make it less friendly to use, proving that technology only provides one part of good security \u2013 savvy design is often better than brute force. For example, some sites require longer and more complex passwords which only increases security in theory; people will find shortcuts that make things easier for themselves but less secure. They might use familiar words and dates, or repeat passwords across sites. They might keep passwords\u00a0on their desk, or worse, their computer\u2019s desktop. Right now we support email. We plan to also support phone numbers and SMS for an easier log in experience with mobile phones. We also made passwords optional, smoothly offering a different experience to users based on their preference. We are curious to see which option users prefer, and why they prefer it. At Webmaker, we\u2019re experimenting with a method that allows people to log in without a password by using a handshake over email or text message instead. Our goal is to reduce the frustrations that come with password management for our … Continue reading<\/a><\/p>\n","protected":false},"author":144,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[378228],"tags":[371994,8624,847,69,298],"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/foundation-archive\/wp-json\/wp\/v2\/posts\/12401"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/foundation-archive\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/foundation-archive\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/foundation-archive\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/foundation-archive\/wp-json\/wp\/v2\/comments?post=12401"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/foundation-archive\/wp-json\/wp\/v2\/posts\/12401\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/foundation-archive\/wp-json\/wp\/v2\/media?parent=12401"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/foundation-archive\/wp-json\/wp\/v2\/categories?post=12401"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/foundation-archive\/wp-json\/wp\/v2\/tags?post=12401"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"password-requirements-2\"](\"http:\/\/webmakerblog.wpengine.com\/wp-content\/uploads\/2014\/09\/password-requirements-2-252x141.gif\")
<\/a> Like many of you, we grew tired of passwords long ago. It\u2019s a challenge to make them strong and a daily hassle to remember them. We often hear news of passwords stolen, even from tech-savvy companies with very sensitive information.
\nWe wondered \u2013 why do we still use passwords? Aren\u2019t there better ways to log in?
\nA quick search revealed that a growing number of people ask the same questions. Below, we discuss some of the existing password tools and alternatives, like Lastpass and social sign-on with Facebook. We share details on our ideas and solution to this problem. But first, here\u2019s the short version of where we landed.<\/p>\nNo Passwords to Forget. No Passwords to Steal.<\/h2>\n
\n![\"check-your-email\"](\"http:\/\/webmakerblog.wpengine.com\/wp-content\/uploads\/2014\/09\/check-your-email-252x95.png\")
<\/a>
\nWhen people return to the site later, they log in with two steps. First, they identify themselves with their email address or username. Second, Webmaker reaches out to them with an email that includes a link to log in. If they check this email on a phone and want to log in on a desktop, they can copy a short key instead. No passwords to forget. No passwords to steal.
\nWe added another nice feature to make Webmaker even easier to use. The log in email actually offers two links: \u201cSign in\u201d, which is great for public computers, and \u201cSign in & remember me\u201d, which lets you stay logged in on your home computer or other devices. Once you enter the site, there\u2019s no need to check a box that says, \u201ckeep me logged in.\u201d
\n![\"login-email-2\"](\"http:\/\/webmakerblog.wpengine.com\/wp-content\/uploads\/2014\/09\/login-email-2.png\")
<\/p>\nLost Password, Found Solution<\/h2>\n
![\"forgot-password\"](\"http:\/\/webmakerblog.wpengine.com\/wp-content\/uploads\/2014\/09\/forgot-password-252x158.gif\")
At Webmaker, we considered experiences like Kavita’s\u00a0and wondered: what if we skipped the password and deliberately used the password recovery process instead? Could we turn it inside out, reduce the clicks, and make this annoying experience a positive one? If so, an answer to broken passwords might be hiding right at the center of the problem.
\nAs we explored this idea, we quickly learned that other people<\/a> have written about this<\/a> as well. It seems that a few sites do something similar for mobile users. This solution recycles existing technology and experiences, and just requires some careful design to make it smooth. At Webmaker, we decided to push the idea further and make it our primary form of login.
\nYou can read more about the design of the system and the user experience<\/a> in a post by Matthew Willse<\/a>.<\/p>\nRemix for Your Web Service<\/h2>\n
\nIf designed and documented well, this solution could be useful for other sites as well, eliminating the burden on people who run web services to keep passwords secure. This approach reduces the need to maintain code for social sign-on services, and it decreases the vulnerability of stored passwords. The links and keys emailed to each user are temporary and expire after short interval or after repeated attempts to use them. You can find a more technical discussion of this in a post by Chris DeCairos<\/a>.<\/p>\nCommon Alternatives<\/h2>\n
\nSocial sign-on using Facebook, Google or Twitter offer one alternative to identify ourselves. But while social sign-on offers convenience, it puts our privacy in the hands of a few companies that arguably know too much about us and our life online. Social sign-on can also be inconvenient for people who use public computers at a library or use shared devices with their family. Nobody wants to log out in order to log in. For site developers, social sign-on can also be a challenge to maintain as the implementation varies between services and periodically changes.
\nServices that store and remember your passwords, like Lastpass, are only a partial solution; they can\u2019t help Webmaker and other sites keep your passwords safe. And like social sign-on, they can also be difficult for people who use public computers or shared devices.<\/p>\nFeedback & Next Steps<\/h2>\n
\nWe will continue to test this system across a range of scenarios and devices and iterate improvements. We welcome your feedback, ideas, and bug reports. Post your questions in Discourse<\/a> or bugs in bugzilla<\/a>. <\/p>\n","protected":false},"excerpt":{"rendered":"