Can I log on to a website without a password?

Most websites require users to log on.

A common practice is to have a user register an account.

This approach is not satisfactory.

For users, each website must remember a password, which is very troublesome. for developers, they must assume the responsibility for password protection. Once the password is leaked, it will be a huge blow to the website's business and reputation.

Therefore, a long time ago, people began to imagine "password-less login ). This will greatly reduce the burden on users and websites.

This article first reviews several common practices of "Logon without a password", and then explores one of the simplest implementations.

I. openid

Openid is the first kind of password-free login.

The idea is that every URL on the Internet points to a unique webpage, which indicates that the website is unique. Therefore, users can be identified using URLs.

Therefore, for a website using openid, you are not required to enter a "User Name", but to enter a URL that represents your identity. Then, verify the website. If confirmed, the user is allowed to log on to the website to "Log on without a password ".

Openid has two major drawbacks: one is the need for server support, and the other is the use of web sites to represent identities, which is contrary to intuition and hard to be understood by common users. Therefore, it cannot be promoted.

Ii. Third-party accounts

The essence of openid is to allow third-party websites to authenticate user identities. Obviously, this is equivalent to a user logging on to a third-party website.

Therefore, you can directly tell the user to log on using a third-party account (provided that the other party supports openid ).

The advantage of this is that it is intuitive and easy for users to accept. The disadvantage is that its own business is more or less dependent on third-party websites. For example, many websites now use their Facebook accounts to log on. If Facebook fails, these websites will be affected.

3. persona

Last year, Mozilla proposed the persona solution, which claims to be the ultimate solution for password-free login.

It is similar to openid. The latter uses a URL to identify a user, and an email to identify the user. After you type an email address, the website requests authentication from the email server.

Although this solution is still in the promotion stage, the effect remains to be observed. However, I am not very optimistic about it. 1. Its technical requirements and processes are more complex than openid and cannot be clearly stated in one sentence. 2. It requires server support, it is hard to imagine that most email servers in the world deploy the persona code.

Iv. oauth

The oauth protocol is actually the same as a "third-party account.

"A third-party account" is a third-party website that provides user identity authentication and belongs to the "authentication" service. oauth is a further step. A third-party website allows you to directly operate on its user data, is an Authorization Service ).

Because user data changes are involved, oauth authentication is stricter than openid authentication. Generally, oauth is only required for external services of a third-party website. It is not necessary to use oauth if it is just a regional user identity.

5. One-time email Login

The above four logon methods are currently the mainstream "password-less Logon ". Next, I would like to introduce the simplest implementation, which was proposed by American programmer Ben Brown in July this year.

His approach is simple. Only one email address input box is displayed when you log on.

After you enter the email address, the website sends an email to the address, which contains a logon link. The user clicks this link to prove that he/she is indeed the master of this mailbox, and his/her identity is valid, so as to achieve login.

The logon link is valid only for a period of time. However, you can use cookies to keep users in the logon status for a long time. If the cookie is invalid, send another logon link to the user's mailbox.

Because the entire authentication process is completed by email, the "password-less login" is completely realized, and the operation process is natural and easy to understand. More importantly, it uses the existing Email protocol and does not need to deploy new code on the server side, which has the best compatibility.

The main drawback is that it requires the user to view the mailbox for an additional time, which is a little troublesome. It is not suitable for scenarios where the user cannot open the email, such as surfing the Internet at a friend's home. Therefore, you must deploy a standby logon Method for your website.

In general, I think this is a simple and easy way to use. I plan to try it when I create a website later.

Do you think this method is feasible?