HACKER Q&A
📣 thedangler

Passwordless Access


Hello, Im wondering if there are any ways to have a passwordless authentication for this new service I'll be implementing. I think I saw something the other day based on blockchain but didn't see any implementation examples.

I was thinking of making unique URL's and sending them to users email address.

If end users can access basic information that an admin has created for them, but still needs to be some what private. I do not see a reason to create accounts for all users.

A simple access url might be enough?

I'm not collecting sensitive information.

Name, email Phone (optional) for sms notifications.

Advice is appreciated.

  👤 Zamicol Accepted Answer ✓
Ethereum's latest attempt: https://login.xyz. I think this has a lot of problems that are not being talked about in the Ethereum community.

Alex Van de Sande, the co-founder of ENS, posted in 2018 an interesting demo with UniLogin, "Universal Logins demo for Ethereum(https://www.youtube.com/watch?v=F5t94cCg6XE). The project was abandoned in 2020(https://medium.com/universal-ethereum/out-of-gas-were-shutti...).

Since you have a keybase account I'm guessing public key auth might interest you as well. Why bother with email? That's a dependency.

I'm working on a blockchain-less, passwordless, public key authentication system.

👤 armchairhacker
Why do you want passwordless? You could just store encrypted passwords in a database, or there are lots of solutions which make user accounts very easy.

If you want ease-of-use you can allow users to login via OAuth, so they can use their google accounts or other accounts without a password.

Look at the Supabase account API. If you use Supabase having a user create an account, login, signup/login via OAuth, and reset their password are literally one-line function calls.

👤 ttyprintk
We use unique URLs in email to manage mailing list and notifications, and mTLS for more serious access. mTLS is more complicated than the interface for the usual password manager, imho. It can work at the proxy waistline, gating access by passing a particular header around.
👤 geoah
Something like magic link maybe? https://magic.link — You can find other similar services or implement your own. Ask for the user’s email, and send them a link with a short lived jwt or other token.