Let’s Deprecate the Password: Email-only Authentication Scott Motte November 11, 2013 Best Practices, Product, Technical // SUMMARIES ?> Passwords suck. They are hard to remember. The average person re-uses the same password across the majority of their accounts. Can you blame them? It’s easier, and people have lives to live – not passwords to manage. It’s mainly the technorati that use tools like LastPass or 1Password. Passwords also tend to never expire. It is rare a site requires you to change your password – and it’s discouragingly user un-friendly when they do. What if we could remove the password? That would solve the above problems. Let’s try. Introducing Handshake.js I’ve built a solution called Handshake.js that is an attempt at this. It is open source. It works like this. First, you place a small script tag into your application where you want the login form. Second, when a user visits your site, they enter their email and receive a short authcode by email. Third, the user types in the authcode to gain access to your site. That’s it. No passwords – just a temporary authcode. Authcodes expire after 2 minutes. It’s also easier as a developer to setup than standard authentication. For the most up to date guide on using handshake.js as a developer, check out the README. Following, is a video showing full implementation and functionality in under 3 minutes. Video Demo The advantages With less code than most standard authentication systems you have a ‘password-less’ authentication system. The advantages of this approach are: No password to remember. Zero-chance to re-use the same password. No crusty unexpired-passwords. As a bonus, when on your phone you don’t have to type out a lengthy password. Next steps The project is still young with plans to expand its feature set. Send bug reports and pull requests here to help grow this project. While handshake.js is the core of the project, the handshake.js server, handshake signup form, and handshake example ruby app are also open source. The next step is likely to add a text message delivery mechanism for the authcode as an alternative to email.