No password login for website

Most Web sites require users to log in.

A common practice is to have users sign up for an account.

This approach is not satisfactory.

For the user, each site must remember a password, very troublesome, for developers, must bear the responsibility to protect the password, once the password leaks, the business and reputation of the site is a huge blow.

So, long ago, people began to imagine "no password login" (password-less login). This will be a great burden on users and websites.

This article reviews several common practices of "no password Login" and then explores one of the simplest implementations.

First, OpenID

OpenID is one of the first to ask for a password-free login. 5 years of well-developed UI front-end framework!

The idea is this: every Web address (URL) on the Internet points to a unique web page, which indicates that the URL is unique. Therefore, you can use URLs to identify users.

Therefore, using the OpenID Web site, users are not required to enter a "username", but require users to enter a URL that represents their identity. The URL is then verified and, if confirmed, allows the user to log in, enabling "No password Login".

OpenID has two big drawbacks: one is the need for server-side support, the other is to use the URL to represent identity, contrary to intuition, ordinary users are difficult to understand. Therefore, promotion is not always available.

Second, third-party accounts

The essence of OpenID is to allow third-party websites to authenticate users. Then obviously, this is equivalent to a user logging on to a third-party website.

Therefore, you can directly tell users to sign in with a third-party account (provided that they support OpenID). 5 years of well-developed UI front-end framework!

The advantages of this is more intuitive, easy to accept users, the disadvantage is their own business, from now on more or less rely on third-party sites. For example, many websites now use Facebook accounts to sign in, and if Facebook fails, the sites will be affected.

Third, Persona

Last year, Mozilla proposed the persona solution, claiming to be the ultimate solution for password-free logins.

It is similar to OpenID. The latter uses the URL to identify the user, which uses email to identify the user. After the user types the email address, the website requests authentication from the email server.

Although this scheme is still in the promotion period, the effect remains to be seen. But I'm not very optimistic about it at the moment. For a while, its technical requirements and processes, more complex than OpenID, can not be clearly understood in a word, and second, it requires server-side support, it is difficult to imagine that most of the world's email servers will deploy persona code.

Four, OAuth

The OAuth protocol is actually one thing with a "third-party account." 5 years of well-developed UI front-end framework!

"Third party Account" is a third party website that provides user authentication and is a "certified" Service (authentication); OAuth is further, and a third-party website allows you to directly manipulate its user data, belonging to the "authorized" Service (authorization).

OAuth authentication is more stringent than OpenID certification because it involves changes in user data. In general, OAuth is only needed for external services for a third-party site, and it is not necessary to simply differentiate the user identity.

Five, email one-time login

The above four kinds of login methods, is currently the mainstream "no password login." Below, I would like to introduce the simplest implementation, which was proposed by American programmer Ben Brown in July this year.

His approach is simple. When the user logs in, only an email address entry box is displayed.

After the user enters the email address, the website sends an email to the address containing a login link. By clicking on this link, the user proves that he or she is the owner of the mailbox and that the identity is valid, thus enabling login. 5 years of well-developed UI front-end framework!

The login link is valid for a period of time, but can be used by cookies to allow users to log on for long periods of time. If the cookie fails, another login link is sent back to the user's mailbox.

Because the entire certification process, through e-mail completion, completely realize "no password login", and the operation process is natural, easy to understand. More importantly, it uses the existing email protocol, without the need for server-side deployment of new code, with the best compatibility.

The main drawback is that it requires the user to view the mailbox for an extra time, which is a bit cumbersome, and it's not suitable for users who can't open email, such as surfing the Internet at a friend's home. Therefore, using its Web site, you must also deploy an alternate sign-in method. 5 years of well-developed UI front-end framework!

Overall, I think this is a simple and easy way to do the site later, the intention to try.

Do you think this method is feasible if you want to listen to everyone's opinion?

No password login for website