This is the second part to my original post, An Effort to Ditch the Password
So what is this? It’s passwordless login, where you authenticate by composing a tweet. It is the simplicity of OAuth from all prospectives, but without the privacy concerns, agreements, and questions.
I built this using Flask and deployed it using Heroku (their python instructions were fantastic), and it’s actually very simple on the backend. All of the code is available on Github. I have a script that is constantly checking a public stream for tweets that contain #post – this is why all tweets contain this hashtag; all of the tweets need to have one consistant value so they end up in the same stream that I can indexed. Then, when a user clicks “sign in” on the website, they are assigned a random, unique identifier – the second hashtag – is saved in their browser session along with their supplied Twitter handle. For 20 seconds, the script checks the ‘#post’ stream for a tweet that 1. came from the Twitter handle specified and 2. contains their unique identifier hashtag. If a tweet is found, their loged-in status in their session is updated to “true” and if not they are redirected to an error page.
Signing in this way is designed to be safe, quick, and secure. In effect, it should not take the user more than two clicks (‘sign in’ and ‘tweet’) and a dozen characters (their Twitter handle). This method is therefor eliminating the need to memorize a hard password, rely on a weak password, and/or monitor your phone or email for some verification.
All of that being said, I do not anticipate websites will implement this, and that is a good thing. Why? Namely, from a user prospective, I would not want to tweet every time I signed into a website. As quick and safe as it feels and as easy as it is to code, I would never ask users to tweet their way into my website, so to speak. A quick solution to this issue would be using a platform where streams could be private, a feature that sounds like something to be added to App.net. But I digress.
No, logging in with a tweet is not a replacement, and no, it is not a new standard. And again this is okay. At its best, this experiment will support my belief that there is demand – and a place, now, – for a modern authentication system. One that is not necessarily based around the password in its current form. And one that does not sacrifice security for simplicity.
Follow the discussion on Hacker News.