Sign-in by email link, on purpose. What it gives the person signing in, and what it stops us from having to defend.
ForestLynk’s sign-in is a link in an email. Type your email; we
send you a link; you tap the link; you’re in. There’s no password.
Nothing to set up, nothing to remember, nothing to leak.
This isn’t a novelty — plenty of products do this now. The point of
the post is that we chose it on purpose, and what we get back from
that choice.
The brainstorm board · pan, pinch to zoom · click an artboard to focus
What you don’t have to do
You don’t have to invent a password and immediately forget it. You
don’t have to type one on a phone keyboard at the start of a
session and find out it was the wrong one. You don’t have to give
us a credential we’d have to be careful about losing.
What we don’t have to do
We don’t have to handle passwords. Hash them, reset them, support
people who reused one from a leaked breach somewhere else. The
attack surface that doesn’t exist is the easiest one to defend.
The email itself
What it costs
Email arrives in the time email arrives in. Most of the time that’s
seconds, sometimes it’s a minute or two. We’d rather have a brief
wait once than the daily cost of remembering a password.
The sign-in screen has one field. It asks for that field, and
then it gets out of the way.