Tell HN: I Don't Want to Use Email as a Password

It's not for you. It's for people who don't know what a password manager is and can barely remember their password. If they actually remember it. Many people rely on their phones always having access.

I have dealt with a lot of family members who absolutely cannot be trusted to remember even a single password if they don't have to type it in semi-regularly. I've have family members locked out of password vaults because 2 weeks is too long to expect them to remember a password.

This is who that flow is catering to. It's a significant amount of people, sadly.

jollyllama · 2 years ago

It's a logical consequence of expecting people to authenticate fully with services in a physical context outside of a computer desk at home where passwords can be safely written down. Unfortunately a hardware key is simply the modern version of this.

What would be better is the issuance of limited permissions for other context in the form of less secure tokens. An example of this is the old school example of logging into your airline account and printing out your tickets to take to the airport.

skydhash · 2 years ago

I was watching a demo of palm pda and I liked the fact you have a syncing software on your computer. I'd gladly sync auth secrets to my iPhone so I can access services instead of authenticating on the phone itself.

It sucks. Another horrible pattern is that enter email, hit enter THEN we'll show you the password field. What kind of puddinghead cooked that up I wonder.

codingdave · 2 years ago

I've done this. It really isn't to make life difficult, it is because we need to know who you are before we know whether you even need a password screen. Maybe your domain means you are part of an org has an SSO connection configured. Maybe you are not yet a user and need an onboarding workflow, etc.

Could that be done on a single page instead of a new page? Probably, but does turning the login into an SPA really reduce friction enough to make it worth that complexity?

In any case, some systems have a reason. But you are correct that doing such a thing without a good reason is not a wise move. And outside of B2B apps... I don't see it being a common thing.

runjake · 2 years ago

Here's what Google said when they implemented it:

  "Today, you sign in to Google on a page that includes both the ‘email’ and ‘password’ fields on the same page. We’ll be gradually splitting those two fields into separate pages in the coming days; the sign-in process won’t change otherwise.

  As we’ve said many times, we're working towards introducing new authentication solutions that complement traditional passwords. We’ve already separated the ‘username’ and ‘password’ fields onto separate pages on a successful launch in Android last year. This change to our web sign-in page is another step in that direction.

  To help make sign-in easier and more personal, you may see a screen with your profile picture and full name when signing in to Google. We’ll only show this information if you are signing in from a location or device you’ve signed in from before, like your home computer."

I have no opinions on it. At least, no positive opinions.

sergiotapia · 2 years ago

Crazy they just skip past the why. Why split it in the first place lol

codegeek · 2 years ago

Sometimes that is needed if you offer native login and SSO to login. Once a user enters the email, the system then checks if they should go to the SSO flow or normal password flow.

iteria · 2 years ago

tonymet · 2 years ago

I agree it sucks. It ads a complex & flimsy step to an already brittle login process.

A big problem is captive browser cookies. Gmail for example uses a captive browser for links. The flow from Safari --> Gmail --> captive browser means that your login session is lost in captive browser limbo.

Authentication is so kludgy, and all the attempts at securing it lead to horrific UX.

How many screens does it take to log in:

1. enter username,

2. enter password

3. enter 2fa,

4. verify email

5. open email inbox

6. open email with code

7. Open captive browser

8 ( if you are lucky) Open the original browser to log in.

8 screens that each could succeed or fail or the user can get lost.

joegahona · 2 years ago

I’ve been getting increasingly crazy permutations of login flows recently. I swear one of them recently was: Enter email address, go fish code out of email inbox, cut and paste code in, then get a password field.

pseudocomposer · 2 years ago

I agree these flows suck, and others have described why companies do this. But I’ll also note there is a solution: use Apple Mail and Safari. Just as with Messages and SMS 2FA codes, it can auto-fill the code that was emailed to you, and delete the email when you do so.

VoodooJuJu · 2 years ago

While it bothers me as well, this flow isn't too common. It's usually only used for MVPs because of how quick and easy it is to set up.

What I'm more bothered about is that sites who use traditional username/email and password increasingly don't actually seem to care about my password. They always require 2FA, email or phone, and I don't have a choice. Username + password simply isn't good enough for these people anymore.

curmudgeon22 · 2 years ago

I am seeing this much more frequently in services I use. Rarely, they have a small option that says "use password instead".

I agree that it's pretty frustrating, since I have strong passwords in my password manager. Like another poster, I assume its used because it provides better security for the majority.

clusmore · 2 years ago

A lot of companies have started doing this because a compromised account can be used to attack the service (logged in sessions avoid rate limits) or other users (spam). They aren't necessarily trying to protect you.

rubyissimo · 2 years ago

I want to like passkeys, but so far it feels like they've just confused the issue.

sethammons · 2 years ago

email as a login flow is gonna cause problems. Email can be delayed for days.

NikkiA · 2 years ago

So can SMS, it hasn't stopped idiots designing 2FA around it.