search

aspnet / Identity

[Archived] ASP.NET Core Identity is the membership system for building ASP.NET Core web applications, including membership, login, and user data. Project moved to https://github.com/aspnet/AspNetCore
Apache License 2.0
1.97k stars 871 forks source link

What is your opinion on Passwordless auth #1988

Closed Ponant closed 5 years ago

Ponant commented 5 years ago

Hi, I understand that Password-less auth à la Medium or Slack is not RFC based standard, but I would like to have some feedback on its advantages and/or disadvantages over password-based flows as we do with asp.net identity. I would exclude from the discussion login via social providers, hence concentrating the discussion feedback around the situation where: 1) User enters Email on the website or app 2) Email is sent to user with a one-time login 3) User checks email and clicks the link and gets logged in the browser or app.

I tried to think it over and over and I see absolutely no advantage of password-based schema over password-less ones. Hence my question :)

blowdart commented 5 years ago

This would be an opinion, which would be, outside of the scope of a github code issue. So I'm going to close the issue.

Ponant commented 5 years ago

@blowdart , you decide at the end, although GitHub is also used for getting feedback, e.g. https://github.com/aspnet/Docs/issues/6146 . :) :) :) Furthermore, I think the discussion can be interesting and I can't ask this on SO. I saw one of your tweets mentionning that you would gladly go pwdless but that was as elaborate as a tweet can be. I was looking forward for an opinion from you and/or the team as well as @brockallen etc. Cheers

blowdart commented 5 years ago

Oh I see. Well we wouldn't put it into Identity, because the only way we could do it without a lot more of a backend is magic links and those are just despicable.

Ponant commented 5 years ago

@blowdart , thanks for re-opening! Sure I understand your view, but what is your take on the security side? I mean, do you see any disadvantages of using a pwd-less schema vs a pwd-based one? I ask this because I just do not see any disadvantage of pwd-less. Even on the financial-side (sending emails for login), a pwd-less schema seems just better or at least equal on the spending side.

blowdart commented 5 years ago

It would depend on the implementation, without that I couldn't make an comparisons or form an accurate opinion.

blowdart commented 5 years ago

As this is opinion and discussion I'm going to close this again.

Ponant commented 5 years ago

Thanks