Every time the user wants to login, they will just submit the email and the system would send a unique login link and add a cookie which will keep the session active for, say, a month. If this is the first time, a new account will be created and in all subsequent attempts the user will be sent login links to the email they enter.
What do you think of this approach?
And if the email is hacked, all the accounts are accessible too easily.
User psychology plays a huge factor when it comes to user acceptance. Why the round trip to my email every time i want to get in? Majority of people's brains aint wired like that. The approach is cool for an easy-to-access email domain like gmail and the like,
if i register with some kind of company secure email that only work when accessed from a certain location then what?
Sounds cool at first but am really failing to see solid pros to using this approach.
As mentioned, not a big fan of this. Medium does this right know and i am not a big fan of this ;)
I completely agree with the points made by @hugollm and @maruru. Make sure the user is aware of how the system works, and do keep in mind all the steps that may make it harder for certain users.
Thus, I don't think that this system should replace password logins completely because it's great in certain cases (especially mobile) but in others you really prefer to just type in a password or have a password manager do an auto login. I like how sites like Medium and Slack offer password-less logins but don't completely use it to replace their password login system.
From personal experience, I love using password-less login for Slack on my phone. Whenever I am adding a new account, it offers to send a "magic link" to my email and since I already get notifications on my phone, I just open the email and click the link. If for some reason I don't have email setup or am having issues, I can just type the password as usual.
I can't really answer for how the users react to those. But I can tell you about my experience, not long ago.
I came across a library that does exactly that, and the page had login demo, with just a field: the email. I like VERY much the idea of registering with only the email at first, completing the info afterwards. However, after logout I tried to login again and was presented with the same form.
I got really confused, as if my account had been lost and I had to register again. It took me a while to realize what was going on, and I'm a web developer.
Bottomline: if you're gonna do it, make sure your users know what's going on. And be ware that many users don't have the habbit of opening emails often. This could be an even bigger hassle for them than defining a strong password.
Your idea is very interesting, but has one big flaw: It's too complex and time-consuming for a user.
At this point, I, as a user, would have left your service for good. Look at all those extra steps... When I have to enter a password, I enter the password and BAAAM, logged in. I additionally can use a password manager. That way I won't even have to remember that 36 character long thing of a password.
Josh Baker
What happens when someone decides to attempt a login on every email they can find? How do these systems avoid being immediately blacklisted by email servers?