Let’s Deprecate the Password: Email-only Authentication


Posted on

Passwords suck. They are hard to remember.

The average person re-uses the same password across the majority of their accounts. Can you blame them? It’s easier, and people have lives to live – not passwords to manage. It’s mainly the technorati that use tools like LastPass or 1Password.

Passwords also tend to never expire. It is rare a site requires you to change your password – and it’s discouragingly user un-friendly when they do.

What if we could remove the password? That would solve the above problems. Let’s try.

handshake-js

Introducing Handshake.js

I’ve built a solution called Handshake.js that is an attempt at this. It is open source.

It works like this.

First, you place a small script tag into your application where you want the login form.

<script type="text/javascript" src="/path/to/handshake.js" data-app_name="your_app_name" data-root_url="https://handshakejs.herokuapp.com"></script>

Second, when a user visits your site, they enter their email and receive a short authcode by email.

handshakejs-1

Third, the user types in the authcode to gain access to your site.

handshakejs-2

That’s it. No passwords – just a temporary authcode. Authcodes expire after 2 minutes. It’s also easier as a developer to setup than standard authentication. For the most up to date guide on using handshake.js as a developer, check out the README.

Following, is a video showing full implementation and functionality in under 3 minutes.

Video Demo

The advantages

With less code than most standard authentication systems you have a ‘password-less’ authentication system.

The advantages of this approach are:

  1. No password to remember.
  2. Zero-chance to re-use the same password.
  3. No crusty unexpired-passwords.
  4. As a bonus, when on your phone you don’t have to type out a lengthy password.

Next steps

The project is still young with plans to expand its feature set. Send bug reports and pull requests here to help grow this project. While handshake.js is the core of the project, the handshake.js server, handshake signup form, and handshake example ruby app are also open source.

The next step is likely to add a text message delivery mechanism for the authcode as an alternative to email.


Hacker in LA. I believe the future is bright. It's up to us to build it - as programmers we get a big say. Follow me on twitter @motdotla.

Scott Motte on Twitter

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>