Tom Olzak

Is email safer than a password?

In Access Controls, Computers and Internet, One Time Passwords, Password Management on July 1, 2015 at 20:02

According to a Register article, Small change to Medium takes large axe to passwords, Medium is providing an option to use email to login instead of passwords.  I registered at Medium to check it out and to see if I agree with the Register article about possible weakness.

Sign up is easy.  On the first screen, you choose whether to use a social network login (e.g., Twitter) or email.  I chose email.  After selecting topics I wanted to read about, Medium sent an email to me.  Using the email, I logged in.  No password, just a user ID.

I logged out and tried to log in again.  Medium asked me for my registration email using TLS 1.2 to encrypt the session.  I entered my email and almost immediately received a message from Medium.  The message provided a button I pushed, which took me to my home page at Medium.  Very fast, very efficient.

So is this safer than a password?  Almost everyone now accepts email as a secondary method of bypassing forgotten passwords.  It isn’t much of a stretch to use email as the primary authentication factor.  Further, users don’t have to write down passwords or remember a new password for every login.  But…

In an email-as-a-password world, email becomes a single-point-of-failure and a big target.  As long as users do better at password selection, this could still work.  What are the odds that we can train users (after trying for years) to use something other than 12345678 or Passw0rd.

%d bloggers like this: