Medium launches password-less sign ins: good or bad?

The publishing platform Medium announced today that it has improved sign-up options for users of its service.

It added an option to sign-up via email besides options to sign-up using a Facebook or Twitter account.

Instead of linking Twitter or Facebook accounts to the Medium account, it is now possible to use any email address to sign up and create an account instead.

While this should have been an option from the start in my opinion, it is not really that newsworthy despite Medium's popularity.

The implementation on the other hand is, and that is why you are reading this article right now.

Medium made the decision to do away with passwords on the service and rely solely on the email address used to sign up instead.

To sign-up you simply enter the email address, get a verification email, follow the link posted in it, enter your name, pick a username and you are done.

Sign-ins work exactly the same way. You click on the sign in link on the Medium website, enter your email address, get an email with a link, follow it and are signed in.

You don't create a password during account creation nor do you enter it anywhere on the site. The whole account and login process for it is linked solely to the email account you have selected during sign up.

Why did Medium implement the system?

According to the company, their way of letting users sign in is more secure than using passwords. First, it is very similar to the "forgot password" option that most web services support that use email to create a new password in case users cannot sign in anymore with the old.

Second, it prevents users from using the same password on multiple sites, and attackers from gaining access to accounts by trying email and password combinations they got hold of on popular sites since part of the Internet community reuses passwords a lot.

Lastly, the sign in link is set to expire after 15 minutes and for one use only.

Is it really more secure / convenient?

It depends on the perspective. Email is probably not the best way of sending those links. While they expire quickly, they are transferred as plain text which means that anyone listening in can intercept them to gain access to the account.

While the process is indeed identical to the "forgot password" option, it is used frequently while forgot password is not usually.

As a user who picks secure unique passwords for each service, and uses additional security measures such as two-step verification whenever possible, it is fair to say that this is not more secure.

For the average user on the other hand it may be.

As far as convenience is concerned, it too depends on the user. If you tend to forget passwords a lot, or have to sign in from all kinds of places without using a password manager, then you may benefit from this.

As a user who does not, it seems inconvenient to check emails each time you want to sign in to Medium, and that is not even considering spam flags and other issues, for instance email provider issues that prevent access to the account for a period of time.

Last but not least, it means that your data is not protected by a password that only you know. It is unclear how Medium protects user data on its servers, and it may not be a big issue for the service considering what it offers.

Now You: What's your take on the new sign-in method?