Medium launches password-less sign ins: good or bad?
The publishing platform Medium announced today that it has improved sign-up options for users of its service.
It added an option to sign-up via email besides options to sign-up using a Facebook or Twitter account.
Instead of linking Twitter or Facebook accounts to the Medium account, it is now possible to use any email address to sign up and create an account instead.
While this should have been an option from the start in my opinion, it is not really that newsworthy despite Medium's popularity.
The implementation on the other hand is, and that is why you are reading this article right now.
Medium made the decision to do away with passwords on the service and rely solely on the email address used to sign up instead.
To sign-up you simply enter the email address, get a verification email, follow the link posted in it, enter your name, pick a username and you are done.
Sign-ins work exactly the same way. You click on the sign in link on the Medium website, enter your email address, get an email with a link, follow it and are signed in.
You don't create a password during account creation nor do you enter it anywhere on the site. The whole account and login process for it is linked solely to the email account you have selected during sign up.
Why did Medium implement the system?
According to the company, their way of letting users sign in is more secure than using passwords. First, it is very similar to the "forgot password" option that most web services support that use email to create a new password in case users cannot sign in anymore with the old.
Second, it prevents users from using the same password on multiple sites, and attackers from gaining access to accounts by trying email and password combinations they got hold of on popular sites since part of the Internet community reuses passwords a lot.
Lastly, the sign in link is set to expire after 15 minutes and for one use only.
Is it really more secure / convenient?
It depends on the perspective. Email is probably not the best way of sending those links. While they expire quickly, they are transferred as plain text which means that anyone listening in can intercept them to gain access to the account.
While the process is indeed identical to the "forgot password" option, it is used frequently while forgot password is not usually.
As a user who picks secure unique passwords for each service, and uses additional security measures such as two-step verification whenever possible, it is fair to say that this is not more secure.
For the average user on the other hand it may be.
As far as convenience is concerned, it too depends on the user. If you tend to forget passwords a lot, or have to sign in from all kinds of places without using a password manager, then you may benefit from this.
As a user who does not, it seems inconvenient to check emails each time you want to sign in to Medium, and that is not even considering spam flags and other issues, for instance email provider issues that prevent access to the account for a period of time.
Last but not least, it means that your data is not protected by a password that only you know. It is unclear how Medium protects user data on its servers, and it may not be a big issue for the service considering what it offers.
Now You: What's your take on the new sign-in method?
Skipping back and forth between email and the browser is a pain in the ass, but using a third party login via noted scoundrels like Facebook and Google, who can presumably then track our reading and writing preferences, is insidious. Do I really need Facebook documenting more personal information, which they then can sell to the highest bidder? I have a hard time thinking that there is anything more to this than commerce–and maximizing profits at the expense of user privacy.
Like everything else of late: ever more clicks to get you where you are going when it used to take only one.
I just use a password manager that is stored on my system. One click and I’m in.
You can use this method with any site that sends you a one-time login when you ask for a password reset, saves you ever having to remember or store a password for it as long you maintain access to the email account you use
dB
What if the person doesn’t have access to the email account anymore? How he will log-in?
Like, I have deleted one of my email accounts, then I signed to the services that I use, and deleted these accounts 1-by-1. It would be impossible if I needed to open any email to log-in.
I like it. Now if only all other sites would do the same. Then you just need to have your email open.
Now this is a very, very bad idea.
Seems like a lot more work, plus it will still be another password to remember (or have in a manager) since I would use a new email account specifically for this, and that email would have it’s own password. I try not to use the same email for sign ins like this.
As an option it’s fine, but I wouldn’t use it. It seems less convenient than a password to me, especially when a password manager can auto populate, or even sign-in, for you.
I agree, as an option its fine as its really nothing but a faster/slim version password reset. So I wouldn’t call it a replacement of user/pass.
Though I wouldn’t use it.
On one hand I like it because it’s one last password to remember, you don’t have to worry about maintaining the password and having to do the whole password reset process. On the other hand, you make a lot of good points, and I don’t think a lot of people really protect their email address as much as they should.