Why Passwords Still Even
You sneak into the computer lab. It's dark; apart from the faint beam of fluorescent light seeping through from the basement hallway via a small translucent window, the only light is the orange glow of an array of VT240 terminals. They are all connected to the main department Unix computer, over in Building C3.
You sit down in the farthest corner and glance at the screen of the terminal in front of you.
Welcome to the University of South Tardigradia
UNIX System V Release 3.2
login: _
You enter your login name assigned by administration. (It's all numbers of course; picking your username is a privilege one should not expect to get, even if you're amog those fortunate enough to be given access to this unique, marvelous, and very expensive resource.)
After some moments of delay:
password: _
The sharp, mechanical sounds of the keyboard disappear into cheap cubicle walls; the greenish-brown plastic floor takes up the rest. Apart from the constant hiss of the air circulation system and the quiet hum of mains power flowing into transformer coils, everything is quiet; it's 4am after all. This is exactly why you're here now: finally, all the "important" users from the Department have logged out; all the CPU power is yours now to finally work on the Project.
You do feel reassured how the Project is protected by advanced computer security provided by Unix and your password, not like with those weirdos at MIT who just log in to their odd machines with their usernames only. They might be better playing around with their fancy AI expert systems and shiny graphics; you'd rather trust Unix boxes when it comes to keeping secrets though.
This is a good use of passwords.
Initially, the computer system didn't know who it was talking to. Using a password, the user could convince it to:
- let them log in and use precious CPU cycles
- show them the files they might have saved earlier.
Now, fast forward... a lot of years, actually. The story is similar: we have a user and we have a remote computer system. How do we identify the user?
Did something change?
Well, to begin with, more often not, now the user has a computer that is not the same as said remote system. They already have access to this computer; otherwise, they would't be opening & trying to log into websites on it.
This computer (e.g. the user's laptop or mobile phone) can do as much public key crypto as required. And yet... the default is still to type in a login name and a password into various boxes, by hand?
But password managers
This computer (e.g. the user's laptop or mobile phone) can do as much public key crypto as required. And yet... the default is still to pretend typing in a login name and a password into various boxes, after some clicks by the user?
... well, sure, passkeys solve this problem a lot better. Optimally, everyone would be using passkeys instead? Kinda? We're not here to discuss passkeys though.
Better alternatives that aren't even magic
The main reason I'm writing this is just to show it around how Anthropic is doing it. They're just asking you for an email address...
... but then, instead of a password box, you're just asked to check your email!
OK but what if you don't have all your emails open on this device? Well, in that case... you can still open it wherever you can; instead of logging you in, the link will create a verification code for you, which you can then type into the original box:
Why is this working?
Because, unlike in the 80s, websites typically have already secure, established channels towards the user.
Typically, they can just send them an email.
Which is, by the way, often used for password recovery.
So... if this is so... why do we even need passwords in the first place?
You could always just reset your password; just by making this easy enough to not even need a password to be lost / forgotten in the first place goes a long way.
(Which is also making it somewhat interesting when a site uses an email verification code as a second factor, while also letting you reset the password with... email verification. How many factors is this again?)
Taking this further
Now imagine if your email client could do this for you automatically!
You want to log in somewhere. They send you an email (in the background). They also let your browser know that there is a login attempt.
Your email client sees this, clicks the link, login done.
Or! You want to log in on someone else's computer. You open a window, enter your email, "please verify login attempt by typing this two-digit number into your phone".
In the background, you got an email. You open the phone; it pops up a window, asking for the two-digit number (just to ensure that you don't mistakenly log in someone else who sees what you're doing); you type it in, done, you get access.
Other good examples
Has anyone seen this?
Apparently, Discord has also figured out how to let users log in easily without typing anything in. In their case, you don't even have to put in a username. How cool is that?
To be fair, I'm not advocating for each website forcing you to download an app: this should be a universal standard.
At which point...
... are we talking about passkeys again?
As it happens, passkeys do support a flow where you're using your phone to scan a QR code to authenticate another device. This is pretty much what Discord is doing, except it's a standard.
It also happened to not work when I last tried with my phone.
As it appears, there are things that are beautiful in theory, and should just work because they have no reason not to, except, in practice, somehow, they still do not. Bluetooth is one of them. Apparently, passkeys are another.
In this day and age, getting an email is not one of these things though. It pretty much always works; if it doesn't, you know that you need to check in the spam folder. The point is, you don't even need magic things to come up with something that's better than logging in with passwords. They are that bad.
We can do better.
Appendix
For the record, this is a VT240:
Also... you already imagined this, but:
