A password-less login system written in PHP

I always liked the idea of a password-less login system, and I recently found the opportunity to build one (to be used in a personal project). Afterwards, I wrapped it up in a handy class, and uploaded it to GitHub for other people to use.

So, what’s a password-less login?

Any login system that does not need a password, but utilises other ways that allow a user to log in, such as access to a service that the user is already logged in, a set of ssh keys, etc.

Keep in mind, that using such a system, is not mutually exclusive with using a “traditional” password-based login system at the same time. A lot of services allow their users to login via different ways.

If you are interested, there are a few interesting articles and discussions around different approaches and limitations, such as “is it time for password-less login?” (plus its hacker news thread), as well as “logins without logins”.

My approach

Like many people nowadays, I practically live into my email client, so that’s a tab which is always open in my browser. Therefore, the approach I’ve chosen for my password-less login implementation is to utilise email.

The process is simple: A user enters an email address (the one associated with his/her account), the system validates that it’s a valid email which belongs to a registered user, and sends out an email containing a unique login URL. When the user visits this login URL, the system verifies the validity of the code to determine if the user will be allowed to log in or not. Simple!

The code lasts only for a specific amount of time, and it can be used only once.

Use with caution

Keep in mind, that not every service is suitable for such a login system. For example, I wouldn’t use a system like that for a service with too sensitive content.

Also, if someone gains access to a user’s email, then automatically gains access to any service using an approach like the one explained before. However, that’s true for any service that uses a “forgot password” functionality that only needs an email address without any other verification (e.g. secret question).

Want to try it?

If you do, then you can find it in this GitHub repository, which contains the source code, as well as the information you’ll need to install and use it. I’m also working on a tutorial with a usage example, and I’ll update this post when it’s ready.

Photo by Mirko Macari