Thursday, May 21, 2015

Passwordless Login Done Right

Imagine you want to try the service offered by a site, but you have to log in to be able to do it. It is the first time you arrive on this site and of course you don't have an account. In order to get one, you have to sign up. Assuming the site doesn't offer you the option to sign up with facebook, twitter, google or other OAuth providers you'll most probably end up filling around 984375983475375345 fields, many of them mandatory. Even if it offers you the OAuth option, what happens when you're on a public computer? Would you want to log in to your favorite OAuth provider on a computer you don't trust?

How many times did you go through this? How many potentially good sites do you think you missed because the barrier imposed by the signup process was too high?
If you're a developer, how many users do you think you've lost because they gave up before even trying out your service?

We are in 2015, things should be much simpler. Imagine the following scenario:

1. You enter the same site as above and you're presented a login screen that consists of only one field. You complete a username and you press login.
2. A notification pops up on your phone and asks whether or not to allow the login. You press Allow and that's it. You're in.

Well, the above scenario is not science fiction anymore.


Once you have their app installed and configured on your smartphone you're able to log in on any website that implements the unloq system without using any passwords.
As a website developer, you're able to present your users a login screen that looks like this:
passwordless login and signup screen with unloq
Passwordless login and signup with unloq
You may have heard before that passwords are obsolete. Now we have the technology that combines intuitive user experience with usability. Basically, this is an extremely secure, 2-form-factor, idiot proof login system once the user has the unloq app installed and configured. is still beta

Although not everything works as smooth as it could right now, unloq is usable. The guys that are working on it are open for suggestions and they are working hard to implement them. 

Give unloq a try and tell me in the comments if you think that this is as cool as I see it.


  1. What happens if a). they don't have their phone with them or b). as is more often the case with mine lately, it's not charged. It also seems that another attack vector has been added in that there is now an MITM opportunity between the service and the phone. What's the architecture behind this service? Do you have this documented anywhere?

  2. There is also

  3. I recommend LaunchKey ( More security, been around longer, and they have a white label SDK that allows you to run this tech from your own mobile app instead of relying on theirs.