Medium launches password-less sign ins: good or bad? - gHacks Tech News

Medium launches password-less sign ins: good or bad?

The publishing platform Medium announced today that it has improved sign-up options for users of its service.

It added an option to sign-up via email besides options to sign-up using a Facebook or Twitter account.

Instead of linking Twitter or Facebook accounts to the Medium account, it is now possible to use any email address to sign up and create an account instead.

While this should have been an option from the start in my opinion, it is not really that newsworthy despite Medium's popularity.

The implementation on the other hand is, and that is why you are reading this article right now.

medium sign-up email

Medium made the decision to do away with passwords on the service and rely solely on the email address used to sign up instead.

To sign-up you simply enter the email address, get a verification email, follow the link posted in it, enter your name, pick a username and you are done.

Sign-ins work exactly the same way. You click on the sign in link on the Medium website, enter your email address, get an email with a link, follow it and are signed in.

medium sign-in

You don't create a password during account creation nor do you enter it anywhere on the site. The whole account and login process for it is linked solely to the email account you have selected during sign up.

Why did Medium implement the system?

According to the company, their way of letting users sign in is more secure than using passwords. First, it is very similar to the "forgot password" option that most web services support that use email to create a new password in case users cannot sign in anymore with the old.

Second, it prevents users from using the same password on multiple sites, and attackers from gaining access to accounts by trying email and password combinations they got hold of on popular sites since part of the Internet community reuses passwords a lot.

Lastly, the sign in link is set to expire after 15 minutes and for one use only.

Is it really more secure / convenient?

It depends on the perspective. Email is probably not the best way of sending those links. While they expire quickly, they are transferred as plain text which means that anyone listening in can intercept them to gain access to the account.

While the process is indeed identical to the "forgot password" option, it is used frequently while forgot password is not usually.

As a user who picks secure unique passwords for each service, and uses additional security measures such as two-step verification whenever possible, it is fair to say that this is not more secure.

For the average user on the other hand it may be.

As far as convenience is concerned, it too depends on the user. If you tend to forget passwords a lot, or have to sign in from all kinds of places without using a password manager, then you may benefit from this.

As a user who does not, it seems inconvenient to check emails each time you want to sign in to Medium, and that is not even considering spam flags and other issues, for instance email provider issues that prevent access to the account for a period of time.

Last but not least, it means that your data is not protected by a password that only you know. It is unclear how Medium protects user data on its servers, and it may not be a big issue for the service considering what it offers.

Now You: What's your take on the new sign-in method?

Summary
Medium launches password-less sign ins: good or bad?
Article Name
Medium launches password-less sign ins: good or bad?
Description
The blogging service Medium added a password-less sign-up and sign-in option that requires only an email account.
Author




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Andrew said on July 2, 2015 at 7:53 pm
      Reply

      On one hand I like it because it’s one last password to remember, you don’t have to worry about maintaining the password and having to do the whole password reset process. On the other hand, you make a lot of good points, and I don’t think a lot of people really protect their email address as much as they should.

    2. Chad said on July 2, 2015 at 8:25 pm
      Reply

      As an option it’s fine, but I wouldn’t use it. It seems less convenient than a password to me, especially when a password manager can auto populate, or even sign-in, for you.

      1. batman said on July 3, 2015 at 11:47 am
        Reply

        I agree, as an option its fine as its really nothing but a faster/slim version password reset. So I wouldn’t call it a replacement of user/pass.
        Though I wouldn’t use it.

    3. Bobby Phoenix said on July 2, 2015 at 10:03 pm
      Reply

      Seems like a lot more work, plus it will still be another password to remember (or have in a manager) since I would use a new email account specifically for this, and that email would have it’s own password. I try not to use the same email for sign ins like this.

    4. Danielaa said on July 3, 2015 at 4:32 am
      Reply

      Now this is a very, very bad idea.

    5. jinalbert said on July 3, 2015 at 6:55 am
      Reply

      I like it. Now if only all other sites would do the same. Then you just need to have your email open.

    6. David Bradley said on July 3, 2015 at 10:35 am
      Reply

      You can use this method with any site that sends you a one-time login when you ask for a password reset, saves you ever having to remember or store a password for it as long you maintain access to the email account you use

      dB

      1. Daniela said on July 3, 2015 at 11:44 am
        Reply

        What if the person doesn’t have access to the email account anymore? How he will log-in?
        Like, I have deleted one of my email accounts, then I signed to the services that I use, and deleted these accounts 1-by-1. It would be impossible if I needed to open any email to log-in.

    7. kalmly said on July 3, 2015 at 3:35 pm
      Reply

      Like everything else of late: ever more clicks to get you where you are going when it used to take only one.

      I just use a password manager that is stored on my system. One click and I’m in.

    Leave a Reply