Colin's Journal

Colin's Journal: A place for thoughts about politics, software, and daily life.

September 8th, 2015

Killing Passwords

Passwords on websites and in apps are the bane of internet usage.  Much has been written (recently in TechCrunch – Kill The Password) on how painful they are to generate and remember.  Password managers help with the challenge, but are  a cumbersome band aid.

When building a website application, adding username and passwords is also painful, requiring extensive work to get working well and securely.  So, what are the alternatives?  There are some good ideas out there, but they tend to be complicated (OpenID Connect), or put large identity providers in a special position (Fido, OpenID Connect) or are centralized and cost money (e.g. Clef).

I think it’s possible to build a simple, distributed, secure authentication mechanism that allows users to login to sites without generating passwords.  The vision is that a user can authenticate themselves easily:

  • Enter your email address
  • See a pass phrase in the application / website
  • Check your phone – if the same pass phrase is displayed, tap authenticate and you are in

I’ve been experimenting with how this could be done, documenting the specification on an Owlauth Github page, and writing an authentication server in Go that implements the specification.  It’s not done yet – the current code sends email to the user with a link rather than a notification to a phone – but it’s close enough that it proves it can work.

In addition to the specification, I’ve also got a test application running (A larder app for tracking food best before dates) that authenticates using this method.

The challenge now is how to move this forward.  Finishing the implementation to allow device based authentication is straightforward (I’ve got most of the code done), but it’s of no use if there isn’t a community of developers interested in deploying it.

Copyright 2015 Colin Stewart

Email: colin at