Blogging platform Medium thinks it has come up with a really clever idea.
But I’m not so sure.
In a blog post, the site - which has previously allowed users to access Medium via Twitter or Facebook social logins - is introducing a new system that will allow you to log into Medium using your email address, but without requiring a password.
Today, we’re pleased to offer sign in and account creation on Medium using only your email address.
Authentication is serious business. We wanted to make our sign in process as secure and simple to use as possible, across all platforms. Passwords are neither secure nor simple. They’re hard to remember or easy to guess, everyone re-uses them (even though they know they shouldn’t), and they’re a pain to type on mobile. They don’t even keep you that safe.
Let’s look at that bit by bit:
Passwords are neither secure nor simple.
Well, they can be - with a good password manager.
They’re hard to remember or easy to guess
Not true - if you use a good password manager.
everyone re-uses them (even though they know they shouldn’t)
No they don’t. Okay, so a lot of people do unwisely re-use passwords. But a good password manager can prevent that.
they’re a pain to type on mobile
Umm.. no, they don’t have to be. If (yes, you guessed it) you use a good password manager.
So, now I’ve successfully debunked those opinions by Medium, let’s look at how the site says its email-only authentication will work:
When you want to sign in to Medium, we’ll send you an email that contains a special sign in link. Clicking on that link will sign you in. That’s all there is to it. If you’ve ever used a “forgot password” feature, it works a lot like that, except you don’t have to forget a password to use it.
In other words, if your email account is ever hacked - the bad guys now have access to your Medium account too.
And if you ever leave your computer unlocked and unattended, a passer-by could access your Medium blog as well.
I would say that that’s not a terribly sensible move by Medium.
Yes, too many internet users choose poor passwords, or reuse them on multiple sites.
But I think Medium would have done better to promote the use of password managers and some form of two-factor authentication rather than trying to kill off passwords entirely.
If they really wanted to offer higher levels of security they could require additional levels of authentication if they see a blogger sign-in from somewhere unexpected - or from a device that hasn’t been used for the purpose before.
If you’re going to reinvent your login system, why not maximise its security?
Don’t get me wrong - I like that Medium appears to be no longer requiring users to own a Twitter or Facebook account. But I think they’ve gone the wrong way about opening up the service to other internet users. It seems a backwards-step to not also allow those users capable of choosing complex, hard-to-crack, unique passwords to opt for the traditional email/password method.
What they’ve done means that your Medium account is now only as secure as your email inbox. I hope you’re doing a good job of protecting that.