On password-less login

Ben Brown asks if it is time for password-less login. Well, yes it is. It’s actually long been.

I think an even better solution would be to remove the password completely, allowing users to login with only an email address. Each time a user needs to login, they enter their email address and receive a login link via email.

That’s part of our usual process of removing mandatory signup. We try to convince all our clients to do this (see also: Interface is Evil). The thinking goes: password is not really needed to sign in: you can always click the “I forgot” link. So why not just assume that the user has forgotten their password?

This flip makes sense for almost every website. If users visit a site infrequently, signing in via email is not a big deal. If users visit a site regularly, then chances are high that they are already signed in and won’t see the form anyway.

In Bureausphere (it’s a kind of online designers club available only in Russian), we go even further. There’s no sign in or sign out at all. On the me page, if we haven’t recognized the user by cookies, we just ask for an email (I’ve translated this bit for this screenshot):

If we know this user, we just send a link to their page, and the link logs them in behind the scenes. There’s no way to log out. And if we don’t know the person, we still do the same: the page will be created on the fly as the user clicks the link in the e-mail.

There is one problem with this approach. While no user likes messing with passwords, people at least understand how the system works. So if we change it, even for the better, we must take into account that some users will be confused.