Indiid.net lets you choose the sort of credentials you’ll use to log in. You can use a password or pick from a variety of other credential types. The default credential type for new accounts at Indiid is called “Passphrase Message”. You’ll get one of these if you don’t choose anything else when you sign up for an account. When you need to authenticate we’ll send you a message containing a short passphrase (a password made up of separate words). Type or paste this in to the password field and you’ll be able to log in.
At first glance this seems like a terrible idea. Emails aren’t secure! This is absolutely true, and Passphrase Message is Indiid’s weakest credential type. But it’s also more secure than most credentials used elsewhere. Here’s why:
You can’t choose a bad password because Indiid chooses the passphrases for you. You don’t have to use a simple password that you can remember because you’ll get a new password each time.
The passphrases are very short-lived and we limit the number of failed login attempts. It’s very unlikely that an attacker could guess a password with a couple of login attempts. Most normal password databases are much more vulnerable to guessing.
We don’t keep the passphrase in a database for more than a few minutes. If the worst occurs and the passphrases are leaked there would be very little for criminals to bulk-download and crack using millions of brute-force attempts. The temporary passphrase is encrypted using a slow Bcrypt hash, so it will have vanished from the database a long time before it’s cracked.
Email messages can be intercepted, but as most website accounts already use email for resetting forgotten passwords Passphrase Message is actually no worse than normal. Most large email providers are now switching to encrypted connections so messages are better protected when they’re being transmitted.
For the many people who struggle to remember passwords Passphrase Message is both more convenient and more secure than what they currently use elsewhere.
You can improve the security of Passphrase Message by combining it with a second factor such as Google Authenticator or a Yubikey. It will also soon be possible to tighten up the security of Passphrase Message by encrypting the email content, or by using alternatives to email such as Jabber/XMPP or mobile notifications.
That said, we’d still prefer our users to choose something better than Passphrase Message. In fact, some destination websites will automatically demand stronger credentials, so even if you normally log in with Passphrase Message you’ll need another credential to access them.
We recommend adding or switching to another type of credential when you feel ready - there’s already quite a few to choose from.
Passphrase Message was our most-requested credential type when we were first designing Indiid.net, soon after Ben Brown wrote two blog posts Is it time for password-less login? and More on password-less login. The Ruby NoPassword gem implements something similar. We also had feedback from early users who admitted rarely using a password more than once without forgetting and resetting it, so paving the cowpath seemed like a good approach.