Email-less and password-less registration & authentication

The insecurity and usability problems of passwords are well known. Passwords are something you know, so they are vulnerable to forgetting, which happens often. Thus, email is widely used as a backup to reset passwords.

Email has a lot of problems too. Similar to passwords, people typically reuse the same email address across lots of services, creating a privacy risk if the email is discovered from the service. It is increasingly difficult to get an email address without giving personally identifiable information to the email server. As a deterrent against spam (and probably also because it makes it easier to target ads at users), free email services typically require providing a phone number which is easy to associate with a particular person. Paid email services might not require a phone number, but paying for a service without personally identifiable information is difficult as well, and relying on paid email service subscription is vulnerable to changes in financial circumstances. Also, it’s difficult to reliably self host an email server today. In addition to the privacy issues, the centralization created by reusing an email account across many services also creates a security risk because a compromise of the email account would compromise lots of other accounts.

Nowadays, we don’t need passwords nor emails to register or authenticate to a service. Discourse already supports FIDO and TOTP, but it still requires a password and email address to register and authenticate. It would be great if Discourse made passwords and emails optional in favor of FIDO and TOTP.

One factor authentication with FIDO can be really convenient, but it is vulnerable to loss or destruction of the single FIDO token, similar to the issue of registering with a password but no email address. To resolve this, I propose that users would be required to provide at least two factors to register, which could be any combination of FIDO, TOTP, and/or password. Users who want emailless & passwordless authentication could simply register two FIDO roaming authenticators like Yubikeys. Users could be advised (or potentially required, especially for administrators) to register more than the minimum of two factors to avoid losing access to their accounts.

As FIDO platform authenticators are being built into more and more devices these days with Windows Hello, Apple Touch & Face ID, and Android, this email-less registration system could be usable by nontechnical users who do not own specialized roaming authenticator hardware like a Yubikey. Users could register with the FIDO platform authenticator plus a password. One factor authentication with the FIDO platform authenticator could work seamlessly with such a setup. However, this would create a usability problem for authentication on new devices because users wouldn’t have the FIDO platform authenticator available on a new device and relying solely on the password to setup a new device wouldn’t be secure. To resolve this, I propose a workflow similar to how Matrix authenticates new clients. The user could try to login on a new device with that device’s FIDO platform authenticator (a new factor) and their password (an already registered factor). This would not actually log in, but it would create a request to approve the new FIDO authenticator in the account. The UI on the new device would then direct the user to log in on a device they already have registered to approve the new device. With FIDO platform authenticators built into mobile devices, this could be practically usable for secure authentication without specialized roaming authenticator hardware or sacrificing the ability to use any ad-hoc device like a public kiosk.

I just came up with this anonymous registration & authentication system yesterday after receiving my Yubikeys. I am not aware of any systems which implement this. I would love to see a mature and already widely deployed web application such as Discourse pioneer a future without email or other personally identifiable information being required to use the Internet.

That’s likely true. But it’s hard to imagine that anyone who would log in with the system that you propose don’t know what a password manager is. I’ve been using a password manager for a decade or so, have multiple fido keys, use Google authenticator, and don’t quite understand what you propose.

It seems improbable that such a system will be added unless at least a few enterprise customers want it. I think it’s on the order of at least 50 hours work for someone who knows a lot about the authentication system, and likely twice that with proper specs. There was an attempt a while ago to integrate with keybase, which could do some of what you want, but I don’t think it got very far.

It’s an interesting idea,though. Maybe it’s easier than I think.

Anyone with a recent device that has a FIDO platform authenticator built in could use this quite easily. In a few more years this could be just about anyone.

I said it in the title: make email optional. Making passwords optional would be great too.

I’m sure it would take a decent amount of work to implement. I think most of the hard part would be getting the UX design really clear. Discourse already has the building blocks in place with 2FA supporting FIDO and TOTP.

A small, first step towards implementing this could be adding the UI for registering FIDO and TOTP to the registration UI so it doesn’t need to be an extra step in the preferences after logging in for the first time. Later, the UI design could be improved further to make email and password optional.

I’m curious about @codinghorror’s thoughts on this considering his various blog posts about passwords.

E-mail should be optional. Using e-mail is getting more and more unreliable, impossible due to the big e-mail provider oligopoly.

Now suddenly gmail is blocking my domain name.

• Even after perfectly setting up all the e-mail security (SPF, DKIM, DMARC, …) for years
  • What do I mean by perfect? All the e-mail security testing and reporting tools are showing “100% OK” and
  • the domain name hasn’t been in any spam lists (spamhouse…) for years either.

But you can contact gmail? Sure…

Quote Sender Contact Form - Gmail Help

We’ll use the information you provide to investigate and improve our spam and abuse detection systems. Unfortunately, we can’t provide details about our findings during or after the investigation.

So likely the answer can be like “yeah, we looked into it, we didn’t fix it, the issue is on your side but you won’t share any spam examples and we don’t tell you what the issue is”… That is, if there is any issue at all.

I used that contact form anyhow. Takes two weeks for mail to reply, the form said at the end. That makes e-mail pretty much unreliable and too cumbersome to work with.

It’s not only my experience.

Many other people blogged about similar experiences.

These shenanigans are on top of all the technical difficulties of self-hosting your e-mail server.

Could you please make e-mail optional?

• When signing up with e-mail address: Password recovery will be possible.
• When signing up without e-mail address: Password recovery will be impossible.
  • If allowed by the site administrator (optional setting), warn the user but permit signup without e-mail address.
  • Only username + password.

Similar topics:

• Run Discourse without email?
• Make email optional
• Probably a lot more.

A quick and easy solution is to use some other system for authentication using discourse connect.

My earlier estimate of how hard it would be do create an email-free system is wildly off. Using some other identifier with a not-email.invalid hostname for those emails should be doable. I think that Sign-In with Ethereum plugin might do what you want, if you’re willing to make people use Ethereum, but something similar could also work. You do need some way to establish identity.

You do need some way to establish identity.

Just username + password.

So anyone (or any bot) on the whole internet can come to your forum and create an infinite number of accounts by making up a username and a password?

Yes.

In my experience with various webapps, spam bots don’t have much of an issue to create gmail and other e-mail addresses. On my site, we’re also not excluding temporary mail disposable email addresses. There’s also some other forum software / forums that allow sign-up without (or without a valid) e-mail address and this also didn’t cause any issues that I could see. So I don’t see e-mail addresses as much of a barrier to avoid a flood of bot / DOS attack accounts.

But I can see where you might be coming from. Allowing users to sign-up without e-mail address might expand into lots of follow-up issues. What if there is a huge flood of bot attacks and/or DOS attack where a crazy number of forum accounts is created?

In that case, anti-spam prevention measurements would be required. But these would not be specific to those forum instances where e-mail is optional versus those where e-mail is mandatory.

That is because spammers also nowadays have access to lots of created or hacked e-mail addresses. They could also use temporary e-mail providers. Or buy/steal a domain name and setup their own e-mail server just for the purpose of spammy forum setups.

The same questions would arise from both, email using/not using users. For the sake of this discussion, theoretical questions.

• How to view all accounts that were created since X days, that were logged in less than X minutes, that have 0 posts? Probably bot accounts. I want to find and delete all of these.
• How to add a custom question / puzzle / captcha / whatever before accepting a sign-up?
• Could the admin panel please have an easy button where admins can easily approve/unapproved new-signups capable of handling mass registration spam?

Looks like Google has come up with an interesting solution for this using QR codes and Bluetooth:

Related: Users logging with SSO, without email address