Automatic login via notification emails?

Screenshot of a Twitter email notificationA couple hours ago, I received a notification email from Goodreads and unlike usually, I decided to actually visit the site (by the way, I believe that Goodreads, i.e. a last.fm for books, is an awesome idea but poorly implemented).When I did, I was quite annoyed to find out that I wasn’t already logged in, so I had to remember which one of my many passwords I had used for it and try them one by one. This is not a Goodreads fail, but a fairly common nuisance, since most (if not all) social websites behave that way.

“What if there was some magic involved?” Bill Scott & Theresa Neil advise interaction designers to ask themselves in a book I’m currently reading (highly recommended by the way). Well, I guess, if there was some magic involved, the site would “understand” that my click was initiated from an email and would automatically log me in and let me view whatever I was trying to.

What’s the point of asking for a password if the user can prove they have access to the associated email account? Such access is usually all that’s needed for someone to break into an account, theirs or not (via the forgotten password feature). So, it doesn’t help security much, just makes it slightly more time-consuming for potential impostors, while turning legitimate users with a weak memory (like yours truly) away from the site.

I’m not sure whether it’s a good or a stupid idea, I’m not really suggesting it, just expressing a thought. :)
I have some concerns myself too:

  1. It’s definitely harder to implement.
  2. All links sent in notification emails must contain some special token, like reset password links do (I’ve never seen it implemented otherwise). The tokens in reset password links expire after a while, so probably these should too, for security reasons. And what happens after that? A regular login is required? Doesn’t this render the whole idea a bit pointless, since notification emails are frequently read 1+ days after they’re sent?
  3. Usually a frequent user receives a bunch of email notifications per day. Isn’t it a bit too risky to have dozens of such powerful emails floating around in your inbox? On the other hand, it doesn’t seem more dangerous than using the “remember me” feature while logging in: Anyone that manages to get ahold of your laptop for a minute is able to use your account in most SN sites, one way or another. However, the “remember me” feature is a classic case where usability triumphed security, at least in cases where the computer isn’t shared.
  4. Thinking of the “remember me” feature gives me another idea: It could be optional and active by default. Perhaps with a link to easily deactivate the feature in every such email. On the other hand, more options = more confusion.
  5. Also, to avoid the issues stated in #3, this feature could be activated only if the user in question was inactive for a while. Frequent users don’t need it that much and even if they did, they don’t run away so easily, so it’s not as crucial.

What do you think? Mostly useful or mostly evil?

  • http://blair.mitchelmore.ca Blair Mitchelmore

    OkCupid actually does this. Links in emails sent to users are all special urls encoding, presumedly, the intended final destination of the link along with a token to automatically log in the user. It’s a really nice touch, and something more websites with email messages should provide.

    (I don’t know if they let you turn it off or anything like that, but I think any security issues with it are basically made moot by the fact that if someone malicious gets ahold of your email, they can get at pretty much everything else anyways.)

    • http://leaverou.me Lea Verou

      Thanks, nice to know!

      but I think any security issues with it are basically made moot by the fact that if someone malicious gets ahold of your email, they can get at pretty much everything else anyways.

      My thoughts exactly! :)

      • whitehatvet

        I know this is late on here but it IS a security issue. I had a girl reply to an email from me and it contained the “View Message” link. I clicked that link and was automatically logged in as HER.

  • Mike

    Get 1Password

  • http://dragonflycms.org djmaze

    I do like those links in emails as well but, i’m a die-hard internet user!
    Many people have no clue what they leave behind, especially on public computers and networks.
    Say you check your email in a internet café and someone else hits Ctrl+Shift+T?

    That’s why “remember me” is not checked by default.
    It would be nicer to see another option: or stay logged in for X minutes

    For example: ☐ remember me or stay logged in [60↕] for minutes

  • http://kevin.is/ Kevin

    I love services that do this – OkCupid, as Blair mentioned, does it well (but what don’t they do well?). It’s definitely frustrating to get an email about a site I haven’t used in weeks or months and fumble with the login page. So I propose another idea for your list: a separate authenticated state.

    Say those unique tokens sent via email don’t have an expire time and maybe aren’t even one use. Authenticating via one of those links would put the user inside a sandbox where they could only use features that pose no threat security. A user in this “weak authentication” state would then need to authenticate with their password to access sensitive material – remembered credit card info for quick checkouts, full contact info, secret questions, etc.

    I’ve never paid for OkCupid, so I’m not sure how they handle access to payment information for users authenticated via email, but I do seem to remember a site/service doing something like this…

    • http://leaverou.me Lea Verou

      That’s a great idea, never thought about it!

      • Kora

        The sandboxing sounds like what Amazon does… but I don’t think they include tokens in their email links (maybe they do for account specific links, but not “hey check out this new book” links)

        • Anonymous

          I love how amazon does it. I often want to view my Amazon wishlist or add things to it. Since I have an Amazon cookie in my browser from logging in the site in the past, I don’t need to log in for the Wish list features. Also, it says “Welcome Michael” at the top of the site. 

          To view orders or make a purchase, it prompts me for password.

  • Raja MM

    if a user copied the link and pasted directly to browser (without clicking from email), then it will login automatically. Correct?. If this is the case, then how to know the click was initiated from an email? Please help me…

    • http://leaverou.me Lea Verou

      With a unique token, just like in emails for forgotten passwords. :)

  • Pavel

    Great idea, something I’ve been thinking about also as a login method for websites. Just write in your email address, they send you over an email, click a link in the email and you’re in.

    Then you could probably have something like a browser extension that does that automatically :)

    I really like Kevin’s idea for having ‘weak’ and ‘strong’ authentication.

    • http://leaverou.me Lea Verou

      It would be inconvenient to use that as the only login method, since you’d need email access every time you wanted to use the website. Not all people use webmails and not all people are as fond of email as we developers are.

  • Anonymous

    Bad idea, people that don’t know better might forward their e-mails to friends or family – potential nightmare if those friends or family decide to forward the e-mail in turn.

    Accessing gmail over HTTPS on an unsecured wifi hotspot is fairly secure, clicking a standard HTTP link in an e-mail on said unsecured wifi hotspot is not secure in the slightest.  Can anyone say firesheep?

    In the right circumstances, it’s okay.  You need a user familiar with web security who understands the risks of being logged in through security tokens in e-mailed links.  In the hands of the average user, though, this would be a burden not worth bearing.

  • http://twitter.com/Tsouloftas Alex Tsouloftas

    Very bad idea.

    Example that previously happened to me:
    My email got hacked. Now my email has the most complex password out of all my accounts because if it gets hacked or stolen, they can use the ‘Forgot password’ option to retrieve any password from any website that I have an account for.

    When my email got hacked, I received a text message from my email hosting provider saying that my password has been changed. Straight away, I logged into my email’s hosting control panel (which is a different account from my actual email) and from there I was able to change the password without any “what’s your previous password” or “name of you last pet” things.

    And I’m thinking, IF I had emails with automatic logins, I wonder how much time I would spent on changing all my accounts passwords that they could be stealing, how many money I would lose (in case the automatic login could reach shopping sites like Amazon or any site you can buy things off) and in general, how much trouble I would get.

    I do feel more safe this way and I do not have to worry about my email getting hacked or any of my accounts.

    Always, this is my opinion.

  • http://twitter.com/Ares_says Ares

    I read your tweet about this a few minutes ago. Here are some thoughts. 

    Quora did it wrong, if you log in a user via an email then you should limit their functionality and access to sensitive data. 

    I’ve done this in the past, and here are some other precautions I’ve taken: When a user creates and account and/or does a “full” login (by entering their username and password) then you drop a cookie with a special key for their account. The function of this key is to somehow confirm the user identity, if you apply this key through some kind of hashing function to the token, and it mashes the one on the server side then you do the weak login, and if you want extend the life of the “key” cookie.

    I think another important aspect to consider is what kind of website you are dealing with. If this is the website for a bank then this should not be considered at all. If you are dealing with a website for a messaging system or something that does not deal with sensitive data, then sure, let the user in, read but maybe ask for a full login when trying to reply. 

    I don’t think this idea is bad, it’s just a matter of good implementation and common sense. 

  • Michael Richey

    I actually have a need to implement this now, with a current project – and I found your article while searching to see if it had already been done.

    IMHO, all of your concerns are valid and should be addressed when implementing such a feature.

    Since I’ve found no existing solution in PHP – I’m going to bake one myself. It starts with the email. When initiated, a standard user session will be created. This session will timeout, just like any user session. So the email will only be valid for a short period (15 minutes, in the case of my project). With such a short valid time, I think the email login method is secure enough.

    Because the session cookie would be encoded into the URL, upon accessing said URL, the session would be destroyed and a new session created.

    Great post, and you definitely gave me some things to think about while writing code to accomplish this.