We’ve written so often about the limitations of passwords that it would be repetitive to rehearse them once again. Suffice to say that on the modern web — largely because of the way users manage them — passwords alone are not an adequate authentication mechanism.
Medium, a site that makes it easy to publish content, has come up with a novel solution among large-scale websites. They do not allow password logins. Instead they will email a login link to the user. Clicking on the link is sufficient to authenticate. According to the company:
“Authentication is serious business. We wanted to make our sign in process as secure and simple to use as possible, across all platforms. Passwords are neither secure nor simple. They’re hard to remember or easy to guess, everyone re-uses them (even though they know they shouldn’t), and they’re a pain to type on mobile. They don’t even keep you that safe.”
Intuitively, emailing a login link might seem less secure, but it’s actually a bit better than relying on users to securely manage their authentication credentials. The weak link is, of course, the email account. If that is breached, then logins are up for grabs. But if the user’s email account has been breached, they have bigger problems. If attackers have access to the user’s email account, they could simply request a password reset anyway. The login links are time-limited, so they only work within a specific window.
For most of its life, Medium has relied on social media logins, which are about as safe as emailing a login link — they depend on the security of the social network. Some users aren’t happy using their social media credentials because they don’t want to link their identity to their Medium posts, because they don’t have a social media presence, or even because they live in an area that doesn’t allow social media. The email login links are a clever way to give users what they want without creating a vulnerable password database.
Of course, Medium could have built its own password database and password authentication system, but that increases the surface area for attacks against Medium and adds complexity to their infrastructure and code.
It’s true that the new system simply kicks the can down the road, depending on the security of other services like social media networks and email accounts, but in most cases the companies offering those services have heavily invested in security and authentication. For a company like Medium, it may not make financial sense to replicate the work of third-parties to build an authentication system that would in all likelihood be less secure and more prone to exploitation.
I think this is a positive move, or at least as a signal that big web companies are taking the limitations of passwords seriously. Of course, two-factor authentication would be a better solution, but short of bribing users to to adopt it, driving TFA adoption is an uphill struggle. Non-technical users are likely to see TFA as an inconvenience without understanding the benefits. For some sites, especially those with a largely non-technical user base, Medium’s strategy might be the way forward until solutions like SQRL or FIDO gain wider adoption.