I'm wondering what people think about the idea of using one-time pins (OTPs) for logging in instead of traditional passwords. The concept is to send the user a 6-digit OTP via email or text every time they want to log in. These pins would be valid for 15 minutes, and users would have a maximum of 5 incorrect guesses before the OTP expires. This approach seems convenient since I already manage a ton of passwords across various accounts, and it might reduce security risks since there wouldn't be any passwords stored in a database. For context, I believe this method can be just as secure as traditional password systems since it works similarly to how password reset emails operate. What are your thoughts?
4 Answers
So with 5 wrong guesses, you could potentially get locked out by just a random attempt? That worries me a bit.
It's crucial to consider that if users can't access their email on the same device, they might struggle to log in. Therefore, it's smart to provide an option to manually enter the code besides just using a link. Also, if someone gains access to your email, they can get into your accounts, which makes this method sketchy if it doesn't require additional factors for verification. And don’t forget about email delays; sometimes that 30 seconds feels like forever when you're trying to log in!
A lot of systems actually utilize methods like this, including what's called a 'magic link' where users click a link in their email that serves as the OTP. While some people enjoy this method, others find it really frustrating, especially those who rely on password managers, as it complicates the process. Plus, since email accounts can be hacked, it's not necessarily safer than standard SMS verification for high-security needs.
Right? It's definitely not fool-proof! Email security is a real issue.
Totally agree! Especially for business contexts, magic links can be a hassle.
I really dislike systems that rely solely on one-time codes. I use a password manager, so logging in normally is just a breeze with auto-fill. But with OTPs, I have to wait for the email or text, which can sometimes take ages. I get it if they want to offer this as a backup, but it shouldn’t replace having an option for passwords!
Yeah, hypothetically that could happen, but if a user reports it, they can look into it and might even block that suspicious IP, similar to how they'd do with a regular password attack.