Going Passwordless

TL;DR; How we used passwordless authentication to give users a low friction way of accessing private data.

A popular feature on Gaggle Mail is the searchable message archive, this has always been available to group administrators but we wanted to make it available to group members.

Group administrators already have an account with us which they used to create their group but all we know about members is their email address. Requiring members to create an account to view the message archive seemed a little too heavy weight for something they probably wouldn’t do often. However making the full message archive available to anyone who had acquired a ’secret’ member link was far too open.

Giving It a Try

Passwordless authentication seemed like a great fit for what we needed and since we already had the standard ‘forgot password’ workflow adding it was quite straight forward. I won’t go into how passwordless authentication works here since there’s already some great articles out there explaining it. Now when a member goes to the message archive they see a note asking them to click a button to receive a link giving them access to the archive. Dialog to show message archive They immediately receive the email and on clicking the link they’re taken straight to the full message archive. After an hour the link will expire and clicking it will just redirect to the standard member page where if necessary they can request another time limited link.

View message archive email link

This feature was a real hit with our users, the convenience of having access to the message archive without creating an account is a big plus.

A concern with this sort of workflow can be the latency while waiting for the email to arrive, since email is a massive part of what we do we already have lots of infrastructure in place to get the link in their hands as quickly as possible.

Passwordless authentication was worked well for us here, it’s not going to be the best fit for all circumstances but when you want to give a level of secure access without burdening the user with creating a user account it works well – especially if you already have their email address.