Custom user accounts without passwords?

#1

Are there any potential threats on using a simplified/custom made user accounts system without passwords instead of using the built-in User Accounts with passwords?

The idea is to bind/identify the user only by a custom connection token, which is generated and sent to email and strictly bind with user’s email (to the extent that it is re-generated and re-sent every time the user connects with a new browser/device).

This might solve 2 tasks:

  1. Automatically limit the number of logins per account (yet this seem to be manageable with built-in User Accounts)
  2. Simplifies login, as by following the received url you get logged in immediately without need to enter and remember a password…

The identifier might be a token stored in cookies/local storage or in a database and matches / generated based on connectionId, for example…

I know it might sound like reinventing the wheel, but just wonder what can go wrong with this approach…

#2

I don’t see why that should be a problem. Packages with social media logins don’t use any e-mails. So you would start with just the core accounts package. I would look on how the e-mails are stored by the accounts-password package (array of objects to allow for multiple e-mails and each e-mail has additional info stored in the object like validation date, etc.). and copy that approach to preserve compatibility, then you can build your functionality as you like.

1 Like
#3

I have been exploring the topic further and found out an article that surprisingly mirrors my understanding of the topic: https://medium.com/@ninjudd/passwords-are-obsolete-9ed56d483eb

Maybe we already have a package that does passwordless login that is bind to email?

#4

I think this might be what you are looking for: https://github.com/poetic/accounts-passwordless

This package allows you to login users without asking for a password. Authentication is handled using tokens distributed via email. The package exposes an additional login object within the Accounts.emailTemplates config for customization. The config options can be found in Meteor’s email templates docs.

In addition, this package exposes the core accounts-base, accounts-ui, and accounts-password packages.

2 Likes
#5

Sometimes one has to ask on the forum, rather than go directly to atmosphere to search for a package… :slight_smile: Thank you. This seem exactly what I was looking for, and since it creates actual Meteor users, if there is an actual need to upgrade accounts to passwords, this might be done rather efficient as well… Will try and see how it works…

1 Like
#6

Yes, it can save time to leverage of the knowledge of others. Like a swarm brain :slight_smile:

1 Like