1

Consider the following common security scenario:

  1. I need to log in with an email and password.
  2. I can't remember my password so I click "forgot password"
  3. Website emails me a password reset link.
  4. I can gain access to my account using only my email.

This is common on many websites. Commonly it is suggested to not use the same password on every website, but this has the obvious issue of making it hard to remember passwords. Now, consider a parallel scenario whose security I believe to be equivalent:

  1. I need to log in with an email
  2. Website emails me one-time password (randomly generated string with sufficient entropy)
  3. OTP is valid for short amount of time (< 5 minutes)
  4. I can gain access to my account using only my email.

This scenario has two major advantages. One, there is no longer a need to remember a password for the website. Two, the website is no longer storing password-related info (of course hashing and salting is recommended but we all know that some websites will not do this.

Why use passwords at all?

  • why not just use "password" as a password an enable 2FA on the site? – dandavis Feb 02 '20 at 04:02
  • 3
    Does this answer your question? [If I include a Forgot Password service, then what's the point of using a password?](https://security.stackexchange.com/questions/12828/if-i-include-a-forgot-password-service-then-whats-the-point-of-using-a-passwor) – Michael Snook Feb 02 '20 at 04:49
  • you might want to google "multi-factor authentication" – Soutzikevich Feb 02 '20 at 06:00

0 Answers0