[Rant] The case against password-less authentication

[Rant] The case against password-less authentication
0

#1

First of all, I fully understand the rationale behind the team’s decision to go password-less for the beta, and I don’t expect anything to change because of this post. Nevertheless, I’d like to express my displeasure with the increasingly popular password-less authentication. Please feel free to ignore, disagree, or comment. I could be totally wrong, or just a loud minority :man_shrugging:

Password-less is not more secure

Password-less !== secret-less. Even though password-less authentication eliminates the entering and storing of passwords, it still relies on a secret being emailed around to authenticate the user—the sign-in link.

Sure, it expires after 15 minutes. But anyone who gets a hold of that link before it expires basically has full access to the user’s account. And emails are completely insecure by default. Here is one scenario where things can go wrong:

Hacker Alice is casually capturing packets using Wireshark in a cafe’s open Wi-Fi network. Camper Bob also joins the network and requests a sign-in link from freeCodeCamp. He has recently claimed his frontend certificate and is going to a job interview in an hour. Unbeknownst to him, his ISP-provided webmail is unencrypted. So his email credentials along with freeCodeCamp sign-in link are all transmitted in plaintext. While Bob is busy Googling interview strategies, Alice notices her “catch”. Just for kicks, she visits Bob’s freeCodeCamp sign-in link before he can, and deletes his entire account.

OK, there are a lot of if’s for something like this to happen, but you know what Murphy’s Law says…

Password-less does not solve the account duplication issue

Simply put, what if the user has multiple email addresses and forgets which one was used to sign up? This actually happened to me.

When Medium first came out, I signed up for an account, played around with it, and then forgot about it. Later, freeCodeCamp adopted Medium as the publishing platform of choice. Remembering my Medium account, I attempted to sign back in.

I tried all three of my frequently used email addresses (I have accumulated over a dozen of those over the years), but each time Medium created a new account for me. Frustrated, I signed in using Twitter OAuth instead. To this day, I am still unable to recover my preferred Medium username (https://medium.com/@leonfeng).

Password-less is a PITA for users of password managers

I use LastPass to manage my passwords. Typically, LastPass will prompt me to save a new site right after I create a new account. With password-less, I get no prompt because there is no password field.

The password-less authentication flow is also extremely slow in comparison. With password-ful websites, even if you disable autofill, it’s usually one or two clicks and you’re in. No need to fire up your email client or another browser tab (both are slow if you have an old laptop like me).

End of rant. Just to reiterate, I understand the issues with password-ful authentication and OAuth. I just don’t think password-less à la Medium solves any of those issues.

There is, however, a different password-less and secret-less authentication method called SQRL. It has been under active development for a few years now and is almost ready for prime time. Maybe it’s of interest to the freeCodeCamp team?

My apologies if this has been brought up before. I didn’t find a similar discussion anywhere. Peace~


#2

Here is @QuincyLarson’s article about going password-less: 360 million reasons to destroy all passwords.

Naturally you’re not required to agree with all the reasoning.

Going password-less was not (to my knowledge) an effort to address the account duplication. Just to add some clarity, the account duplication that users experienced was due to supporting multiple OAuth methods. In this case, users would create duplicate accounts by attempting to sign in with a different method but since both were connected to the same email address, they believed that their accounts had been deleted. Not being able to remember which email address someone signed up with is not related to the password-less login one way or the other.

I also use password managers, but I don’t really see a big problem here. Free Code Camp will require you to authenticate every time that you sign in with a new device. Unless you are frequently using new devices or purging your browser’s local storage, you should be fine. Your password manager can still help you remember what email address you signed up with.


#3

The only issue I see with password-less authentication is if an email you use to control is no longer yours. This has actually happened to me. At one point I owned over 25 domains and had various email addresses associated with many of them. As time went on I started to not renew the domains and each time had to remember where all I had use the old email address and log into an app/website to update to a new email address.

If I had signed up for an account on a website who used to use normal authentication methods and then no longer had access to my old email address, because I let that domain expire, I run into trouble when I go to sign in with a password-less email authentication, because an email gets sent to an account that I no longer own. If someone were to have bought my old domain and added a catch-all email address for the domain, this other person would now have access to my account.

As long as there is a way to have an admin manually update my account to a new email address, then there is no issue. Many times, there is no such ability, because most systems are automated.


#4

Hi @leonfeng, because virtually every service uses email-based password reset, passwords are essentially meaningless. They add a ton of vulnerability (passwords can be guessed or cracked) without adding any real security.

Even if you have the best password on earth, there will still be an email recovery option, so all of those issues with SMTP mentioned in the article don’t seem to be relevant here.

Your packet capturing situation is relevant, and having to use email auth to sign in to a new device marginally increases the likelihood of interception. A majority of people use either Gmail or an Apple mail app, both of which encrypt emails in transit. The “at rest” risk would imply either you’ve compromised the mail server or you’re a government powerful enough to force companies to hand over your email.

So balance that tiny increase against risk against the massive risk associated with people using bad passwords, and I think you’ll agree that passwordless is much safer.

Regarding your password manager argument, I use a password manager and it’s a pain on mobile. I have to use my password to sign into it, then copy/paste the password into the form. This takes around a minute. I think getting a one-time email to authenticate the device would be much faster for me.

The only situation where I think passwordless would be considerably slower would be if you always clear your sessions or always surf incognito, which would mean you’d have to reauthenticate every time you visited freeCodeCamp.org.


Lost My Solution Answer
Lost completed task after update
#5

Passwordless won’t by itself address account duplication. We “solved” that when we restricted signups to just email addresses (as opposed to social auth). I say “solved” in quotation marks because we aren’t getting any new instances of account duplication, but there are a ton in the system and some day we’ll need to figure out a way to merge them.

The reason we’re moving to Passwordless is for convenience (for the 99% of people who don’t use password managers) and for security.


#6

There will be situations where accounts are “orphaned” and the email address associated with them is no longer available.

I suspect we’ll just have to handle those situations on a case-by-case basis.

There’s no way to know how many people will have this issue. I already get a few emails a week from people who want to reset their password, but can’t access the email address their account is associated with. So I imagine we’ll get some multiple of that.


#7

Thank you all for your thoughtful replies to my ranting. My eyes are opened :slight_smile:

I was originally going to suggest two-factor authentication, but it makes life even more complicated. And since all passwords have been purged from production, I guess 2FA is out of the question.

And yes, it’s not that hard to manually add an entry for a passwordless website in LastPass. I was just too used to the Save New Site prompt to remember to do so. Now that I’ve learned my lessons, I should be able to avoid ever forgetting my sign-up email address again.

@QuincyLarson glad to hear that there’s no more account duplication. This proves I’m living in my own bubble. As long as the majority of users are happy I’m all good~


#8

This community really is a magical corner of the internet where people passionately assert opposing views and it ends with everyone saying “Thanks for your thoughtful response.” :rainbow: :unicorn: :mage: :star2:


#9

One scenario not mentioned is losing your smartphone. Most people use email on their smartphone. Email access does not require a password once the account has been set up - that is convenient, but also a serious security flaw. The only barrier to entry is the smartphone’s passcode. In other words, if someone steals your smartphone and it isn’t locked (i.e. within, say 5 minutes of having used it which is a normal timeframe before the phone locks), the phone thief can use your email accounts to access email-authenticated accounts. I guess the lesson here is to have a short auto-lock on your smartphone. The fingerprint feature is a big win since you can have it lock as soon as it’s turned off and not be annoyed with having to deal with frequent passcode access.


#10

That’s just as much of a problem with password-based authentication, though. It only takes a couple of clicks to issue a password reset, which then gets sent to that same email account.

The difference is that the password-based authentication has an additional security flaw, namely that any leaked passwords often give access to accounts on other services (as people use the same password across multiple sites). And the consequences of that would be much more severe than losing your fCC progress.


#11

Use quantum encryption.

Not really sure what it is, but I have heard of people saying it’s a good way.


#12

Definitely not a fan of the password-less authentication. :frowning:


#13

[redacted because people will think I speak for FCC instead of for myself]


#14

I requested OTP. The mail with the OTP didn’t appear in my mail box right away. it might be a connection issue. By the time, it had appeared, the OTP had expired!.:no_mouth:.

My opinion: Involving email is bit of an overhead. Creating an account,resetting a password are not frequent occurrences and email issues can be tolerated. But ‘Log In’ is very frequent.
I just hope there is a better way!


#15

I believe that you can now log in something like 6 different ways.


#16

** Improvement #9: Enhanced security with passwordless sign-in**

Passwords are a pain to remember. And they’re also a huge security risk. More and more websites are getting rid of passwords completely. And freeCodeCamp is one of them.

Now when you sign in, we’ll email you a link you can click that will immediately sign you in to freeCodeCamp.

It is not a link you can click. It is copy/pasting shortcode. I have unique passwords on all sites. I have never linked via other social media or github federated methods

These comments need some clarification:
“gmail” app to “gmail” server may be secure but every mail relay hop must be secure for this to be secure communication. Yes it is true A subset of email is secure email (if the mail provider is doing that) within a mail provider (Intra) domain like gmail to gmail, or apple to apple sender and receiver. The transfer from freecodecamp mail server to gmail/apple/whatever server MAY NOT be secured with encryption. As already mentioned if you use another mail domain there is no guarantee all the mail hops exchange encrypted traffic. Inter domain email eg example.com to gmail.com MAY NOT be secured. Email is not secure ALL the time.

HTTPS is for secure message/password exchange. This passwordless implementation is not secure ALL the time. Your passwordless login method is not secure for everyone. This is less security not “Enhanced Security” when compared to a site supporting traditional email/passwords and using the best practice security.

Federated logins can reduce your privacy, so I would not use them. That is a personal choice and I risk I chose not to take with federated Identity.


#17

Im guessing that you didn’t bother to read the full thread or check the available login methods. In the 9 months since this conversation FCC now supports several methods of logging in. These include, but are not limited to, passwordless authentication.


#18

@SunRay, what do you think about creating a pseudonymous GitHub account and using a different browser from your other GitHub accounts to sign into fCC? Or using TOR? That way, you can have the login security that GitHub provides with minimal impacts to privacy.

Or, what about creating a new email account solely for fCC?

I do agree that in the case of fCC, password-less login can create privacy and security issues for users who don’t trust email, Google, or Facebook.

Would adding an option for two-factor authentication help?

In thinking about what an attacker might do after gaining access to one’s fCC account, would having the option to import/export one’s account help?

Assuming that these changes are not implemented, we’re left with current login options, and you don’t like my suggestions, can you suggest some ways that users can make the fCC login process more secure?