DEV Community


Discussion on: The Password Struggle

minkovsky profile image

My electricity provider uses a system where instead of a password, I can have a one-time link emailed to me to log in. Sure it takes a fair chunk of time compared to a password autofill, but I actually managed to never set a password with them and always use the OTP. Why? Because I believe that demonstrating control over a certain known identity provider is much more secure than demonstrating knowledge of a secret. And I trust Google a lot more to keep my account secure against other people who aren't Google than my electric company, for whom backend development and infosec aren't core parts of the business. I like this approach.

Anecdotally - at my previous workplace, there was a handful of customers who habitually used the 'reset password' option instead of remembering their password. The audience of the product was not what you might stereotype as super tech-savvy but I have a feeling they knew more than they let on.

And finally, Mozilla has a little known project to offer this type of OTP-by-email as a service that you can either host yourself or use their public instance for testing: