Sep 24, 2012

I’m stoked to announce NoPassword, a Rails engine for authentication that is based on email and sessions, not passwords. Check out the demo.

The idea behind the project is that for most sites, passwords aren’t necessary. You can just email someone a link when they want to log in. Other people have talked about this idea – check out Ben Brown’s article Is it time for password-less logins?.

The intuition is that while it’s generally pretty easy to steal someone’s password through phishing or brute force guessing, a session cookie stored in the browser (properly protected with SSL and XSS defenses) is relatively tough to get at. Passwords are also painful for people to choose and remember. NoPassword factors out the password from the registration and login process.

You can easily log in from your phone or tablet, as long as you can get email on those devices. Plus, NoPassword has a built in session viewer where people can view where, and from what device, they’re logged in from.

Yes, logging in by waiting for an email and clicking a link does take longer than entering a password. But you should only have to do this once per device. Unless you’re constantly letting other people use your computers (and logging out of your email client each time), you’re golden.

NoPassword is a Rails Engine so it can be reused easily in Rails applications – check out the Github page for more details.