Online blogging platform Medium announced this week a new way to log into its website, without having to use a password. Instead, users will be able to enter in an email address, then click a link sent to them in order to sign in to the site. Previously, the company allowed its users to sign in using their Twitter or Facebook credentials, but it received feedback from many who said they wanted an option to use Medium without having to authenticate with their social networking credentials. Or, in some cases, users said they didn’t have a Facebook or Twitter account, and didn’t want to create one just to use Medium.
While many companies offer an email-based login alternative to signing in using social networking account information, Medium’s approach is different. It’s basically ditching the requirement for users to have to come up with a secure password, remember it, then enter it in each time they sign in to the blogging site.
This method, the company claims, is more secure.
Notes Medium on a blog post announcing this change: “Passwords are neither secure nor simple. They’re hard to remember or easy to guess, everyone re-uses them (even though they know they shouldn’t), and they’re a pain to type on mobile. They don’t even keep you that safe.”
The password-free login is not replacing Facebook or Twitter authentication – those sign-in options remain available. But for people who want to use their email to sign in or sign up for Medium, it’s the only other choice offered.
The email login process itself is simple enough, if only a bit more inconvenient due to having to switch between browser tabs to access your inbox (or launch your email client) then locate the email Medium has sent and click the provided link. If you’re used to using a password manager like LastPass or Dashlane, for example, Medium’s password-free login means you’ll have to go through extra steps to authenticate with its website in order to use an email login. But for those who simply try to remember their passwords as they navigate the web, the password-free option is fairly clever and may even be a more welcome approach.
This is not the first time a consumer-facing Internet company has offered a password-free login option. Instapaper, for example, implemented password-free registrations years ago. But more recently, most companies introducing password-free logins do so by taking advantage of SMS, not emailed links. In March, for instance, Yahoo rolled out a new way to sign in with its introduction of on-demand passwords, which are texted to users’ mobile phones as needed. This is perhaps more cumbersome than Medium’s emailed links, however, because users would then have to type in the password they received via text into the website, instead of just clicking a link.
However, some security experts said that these sorts of SMS-based passwords weren’t safer than the one-time-passwords generated using authentication tokens or other strong authentication schemes like cryptographic smart cards, but are actually providing users with the “illusion of increased security.” Similarly, experts will likely claim that emailed links aren’t significantly safer either, citing the fact that email itself isn’t really a secure form of communication for a variety of reasons – plus, anyone with access to your inbox could then click the link and take over your Medium account.
That being said, Medium’s emailed links aren’t active indefinitely – they’re only live for 15 minutes and can only be used once.
The email option is live now on Medium.com, which offers a free blogging service that competes with sites like Tumblr, WordPress.com and Blogger. The company also notes the new password-free method will work today for users on its iOS app, while Android support for email sign-in is coming soon.