Podcast 369: Passwords are dead! Long live the new authentication flows.
In this episode, we talk to Julianna Lamb, co-founder and CTO of Stytch, about building a password-free world. Every password that you can remember can be compromised.
Every password can be compromised. Stytch helps companies build authentication flows that don’t need user passwords.
Julianna grew up in Idaho, where she didn’t even know what computer science was. After stints as a software engineer and product manager, she found a role where could figure out what the organization should be building: CTO and founder.
Their first product was email magic links, which is more complicated than you think. Most importantly, how do you always avoid the spam folder? Copy changes in an email can make all the difference.
Developer tooling is undergoing a renaissance now that smaller companies are getting into the game with API offerings. The big thing that differentiates good tools from bad is easy to understand documentation.
The right metaphor for API services isn’t SaaS, it’s eCommerce. Plug it in into your app without giving up design and user experience.
Tags: authentication, passwords, security, the stack overflow podcast
39 Comments
“The big thing that differentiates good tools from bad is easy to understand documentation. ”
Wrong.
The big thing that differentiates good tools from bad is that good tools are better than the bad ones. The trick is finding out what “better” means and pursuing it aggressively.
Which is not to say that documentation is important. Vue.js has gotten a lot of traction precisely because they have stellar documentation and training, but they built the exemplary tool first.
Do you even read what you what you write?
“The big thing that differentiates good tools from bad is easy to understand documentation. ” is actually true if you think about. Good tools will always have good documentation/manual and that’s what separates good tools from bad ones.
“Good tools will always have good documentation/manual and that’s what separates good tools from bad ones.”
This is a common fallacy, that the more time is spent on documenting, packaging, and presentation, the better the product must be. People assume this is true, when in fact the opposite is often the case.
A wrench is a better tool for loosening bolts than a pair of pliers. No amount of documentation will change that.
People learn via different modes (seen, heard, read), some better than others for the individual. Great software appeals in all three of these worlds using an intuitive user interface, context-sensitive help, documentation with a structured approach to learning and video instructional support available through help. But great tools will always come out of the barn needing some work.
Do you do you even proofread you reply?
What makes a bad tool? I’d say either misalignment with needs or complexity that inhibits any use at all.
If you want to drive a nail, a screwdriver is a bad tool because it’s not designed for the job.
If you want to drive a nail, one hammer is as good as another because it’s a fairly simple tool.
With, for example, a CLI tool, it’s murkier because exemplary documentation can both lower and increase complexity: the former, by explaining the tool and providing examples of its use, the latter, by accommodating poor design choices and shifting the burden of design from the tool itself to its documentation.
A concrete example of the latter case that comes to mind: the exercism CLI, which requires an option flag to be set in order to work and fails when executed with only an argument . This is very helpfully documented with examples and the like, but obviously the design of the interface violates the principle of least surprise — I would not consider it a well-made tool, despite the more than adequate documentation.
So instead of going to example.com, having my browser auto-fill the password for me, and clicking login, and being done within seconds; you want me to go to example.com, have my browser auto-fill my email address, click email a login link, switch to my email client/email tab in my browser (depending on device), wait 30s to several minutes for the link to arrive, open the email, click the link, and then have to close one of the two tabs I have open to example.com instead?
And this is supposed to be an improved user experience?!?!?!?!?
You know what, the services provided by sample.com are looking better all the time. Hopefully example.com at least still makes it easy to delete my account.
also email is just assumed to be safe for some reason, even though email is not necessarily encrypted and is itself protected with a password
That’s right, Dave.
Maybe I don’t really understand but this sounds like kicking the can down the road. But worse. Remember we’re told we’re not supposed to have one password for all those accounts you have? Well all those websites that will allow you to authenticate from your email will do the same thing – your email account has one password. If your email gets pwnd, so do all the other accounts, yes?
And recall the primary vector for phishing attacks is your email account?
Please tell me I’m wrong about this.
Absolutely, now you just need to compromise “One email account to rule them all”.
Although magic links + 2FA work and are in use. Some people might consider that as a better user experience than pasword+2fa
Hahaha, you nailed it.
and you forgot that the browser app used by your email app might not be the browser app that you want to be using to access that site, or the site might have an app itself, so the magic link goes to a web site and now you have access through that browser, but not by the app or browser you wanted to be using in the first place
Thanks so much for your inputs. I will take note that magic codes this is the way to go.
I disagree. Users should be responsible for their own security; for me, any even marginal increase in usability and ease of use is well worth an exponential decrease in security from a simple username and password combo.
Passwords are dead!
Paper is dead!
The internet is dead!
Journalism is dead! (well this one might be true actually.)
Actually I think a password manager is what solves the issue. Password managers with strong random passwords solve the issue of password reuse.
If you don’t sync Chrome to your Google Account and use BitLocker, they are a form of MFA as well – something you know (the login password to your computer), plus something you have (namely the computer).
That is right, I think the same way, and that left us only one problem .. sharing the password securely, with some partner we are developing a tool for that so the combination would be a password manager and a tool that allows sharing passwords or secrets securely like SharePass the app is going live soon sharepass.online
Password Managers are the complete “definition” of kicking the can down the road. Now someone only needs to compromise your password manager and all your 45gazillion length random passwords get compromised. If you use an offline password manager then you have a problem when you’re working remotely and need to use one of those impossible to remember passwords. If it’s an online service, then the service gets compromised just like any other service. The difference is, that when Experian gets hacked, you lose your personal information, when LastPass gets hacked you lose your entire digital presence.
You can use offline password managers with backups synchronized on Google Drive, Dropbox, etc and then have it also on your phone.
I fully agree, in fact that’s what I do. OK, I have a few very old reused passwords, mostly on accounts I don’t use much. Anything important that I use regularly has a unique 16 character password, invented for me by LastPass and maintained for me by LastPass. I do recognize I’m in a minority here.
As for the wonderful “magic link,” I used to do email support for a major bank. I was around when phishing with fake links began. And I’m basically very very suspicious of links I don’t completely recognize. I’ll stick with passwords and a password manager.
I’m a huge fan of using a magic email link to bootstrap WebAuthn on new devices. You need email working anyway to handle password resets, so not much more implementation effort. Email isn’t always as convenient as passwords but it’s way more secure, and once you combine it with WebAuthn the user only needs to use the email sign-in method once per device which pretty well alleviates the usability issue.
I remember when I joined a biometrics company in 2000 the CTO told us passwords were dead. I said to my friend “I predict 2000 will be the Year of the Password. 2001 too”. I feel just as confident today when I declare that 2021, 2022, and 2023 will also be Years of the Password.
I love passwords. Replacing something simple and free with something convoluted that requires a lot of money and effort isn’t always a good idea, even if the convoluted method is ‘better’.
I’ve heard Passwords are dead for years but we aren’t done with them yet. The authentication methods themselves are vulnerable and the most prominent one is email. So you have to have an email password at the very least and you better have authentication on that too.
Bio metrics were supposed to replace the need for passwords. I’m on my fourth or fifth device with a finger print reader and I still need to enter my password most of the time.
Has anyone been successful in changing a compromised fingerprint?
Not only do I not feel safer by using magiklink : sorry but without email how do you get your magiklink to crate your first email account ? (probably you would use a password for this one ? or password free mail box such as yopmail, hence the risk someone migh get to that link before you ? ). but isn’t it less “GREEN-IT” to increase the number of email ? Also for short session where you need to relog every 15 min wouldn’t that make it even worse ?
Sorry, might be me, but I’m not convinced…
Uservoice switched to Magic.link last February. Feedback was negative enough that they are working on restoring a standard password option:
https://feedback.uservoice.com/forums/1-general-feedback/suggestions/42694073-drop-the-new-passwordless-email-based-login-system
I gave it a try but never liked it. The context switch from web browser to email, then the wait for the email to arrive, is painful. I was actively researching alternatives when they finally announced they were going to switch back.
Wrong, this is maybe a problem of yours, but not of others. When you are too n00bish to protect yourself, of course YOU will buy some extra authentication security aka. snake oil, ridiculous at least.
“Every password can be compromised.”
Seeing as we just raised $543M series A funding to rid the world of passwords, I’m certainly in the “passwords are dead” group. With that kind of investment, a lot of other smart people are there as well.
This just seems to be taking the same road as a lot of other technology of “Let’s make it easier for dumb people” when all it really does is make it more difficult for everyone. Lose your email? Great now you’ve lost everything. Lose your device? Great now you’ve lost everything. If the only place a password lives is inside of my head then you’re going to have to brute force it or steal it. The solution is to leave security up to the individual and prevent brute force attacks and leaks to the best of your ability. As others have said, this is nothing but snake oil.
I use the Little Pieces of Paper system, although some passwords are stored in the browser also. The email passwords are not in the browser, they are securely stored in my head, and the banking passwords, and I regularly practice them. Important accounts also have 2FA to my phone. I don’t sync the browser to anything, or allow it to save its info anywhere else. I only use email on my home PC, which has a wired connection and never leaves the house. I don’t use apps on phone or tablet except for ebook / library and some music. My spam folder gets about 3 messages a month and that’s about how many fake phone calls I get also. Success? Why can’t we uniquely identify a person yet? “*Call on God, but row away from the rocks.*”
… to everyone in debate about an easier more secure way for authentication …
In a remote hidden away part of the web is an old security researcher who has been plunking away at the worlds security problems for decades.
Steve Gibson is his name and he has developed many incredible free applications like SQRL.
https://www.grc.com/sqrl/sqrl.htm
My thinkpad uses a fingerprint biometric, which works great until I comeback from climbing and the fingerprint reader fails completely. So makes me wonder if all biometric gatekeeper methods have an achilles heel.
You have coined a new phrase: “Achilles Finger”!
E-mails require actual access to the e-mail account that can be compromised or just stolen.
Biometrics are prone to fail and once compromised can’t be changed.
SMS on phone can be diverted or the phone can simply be stolen too.
Passwords are the least of all evils.
I think the solution finally is going to be: embed hundreds of RFID chips all over your body, and you are recognized if about 90% of them are pinged. You would of course have to wear an RF shielding trench coat, then flash it open to be recognized. And sunglasses to avoid retina scans… Hey, The Matrix!
Good tools are intuitive and safe, not much documentation is needed. You do need to know all it can do, but context appropriate hints are enough for good apps.
And yet Stack Overflow uses passwords, with no support for OpenID or any kind of 2FA. The only other options are the two most privacy-invading companies. Doesn’t this article seem hypocritical?