First, about using the "Lost password", saying “huh, I never thought about why” is an easy way out with not much of a research from the author (sorry). One of the main reason people do that is because websites are enforcing dumb rules for a password that user tend to repeat on every websites (Your password must be 16 chars long, with lower and upper case, numbers and special characters. No more than 2 identical characters in a row ... yes ... I'm looking at you Twilio.com). Of course in that scenario I'll hit my keyboard in a random way and never login using my password.
But this article leads to the alternative; login via email. Some HNers here have mentioned having implemented that on their website, either by sending a one-time login link, or a verification code by email.
We did that too for ImprovMX.com initially, and it has a lot of advantages (no password, no password-lost flow, no security measures for storing the password, etc).
But it turns out it also have quite a few downside that we haven't thought about:
1. Emails get lost. We had quite a few support request because users couldn't connect to our service because the login email never arrived. This is a major issue, mainly when user wanted to upgrade but couldn't because of that. If you decide to implement this, you must use a really good email provider (Postmark is really good. Mailgun, not so much)
2. Emails are async. When your user goes to your website, they want to connect now. Waiting for an email can take quite some time and they might loose focus
3. Security "measures" will tell you to not indicate if the email you entered is valid or not, to avoid listing your users (... I won't go in that); If you implement login by email, it means your user will enter their supposed email, you'll tell them something like "If your email is registered on our website, you'll receive a one time login link", wait what feels like an eternity to get the login email in their inbox, and at some point wonder if the email they entered was the right one. Will try another, wait, rince and repeat.
So yeah, relying on email move all the security issues and added workflow back to a trusted service (login/lost password/2FA/OTP/etc to services like Gmail) but it will definitely add friction too.
First, about using the "Lost password", saying “huh, I never thought about why” is an easy way out with not much of a research from the author (sorry). One of the main reason people do that is because websites are enforcing dumb rules for a password that user tend to repeat on every websites (Your password must be 16 chars long, with lower and upper case, numbers and special characters. No more than 2 identical characters in a row ... yes ... I'm looking at you Twilio.com). Of course in that scenario I'll hit my keyboard in a random way and never login using my password.
But this article leads to the alternative; login via email. Some HNers here have mentioned having implemented that on their website, either by sending a one-time login link, or a verification code by email. We did that too for ImprovMX.com initially, and it has a lot of advantages (no password, no password-lost flow, no security measures for storing the password, etc). But it turns out it also have quite a few downside that we haven't thought about:
1. Emails get lost. We had quite a few support request because users couldn't connect to our service because the login email never arrived. This is a major issue, mainly when user wanted to upgrade but couldn't because of that. If you decide to implement this, you must use a really good email provider (Postmark is really good. Mailgun, not so much) 2. Emails are async. When your user goes to your website, they want to connect now. Waiting for an email can take quite some time and they might loose focus 3. Security "measures" will tell you to not indicate if the email you entered is valid or not, to avoid listing your users (... I won't go in that); If you implement login by email, it means your user will enter their supposed email, you'll tell them something like "If your email is registered on our website, you'll receive a one time login link", wait what feels like an eternity to get the login email in their inbox, and at some point wonder if the email they entered was the right one. Will try another, wait, rince and repeat.
So yeah, relying on email move all the security issues and added workflow back to a trusted service (login/lost password/2FA/OTP/etc to services like Gmail) but it will definitely add friction too.
In the end, it depends on what service you offer.