99% of sites require your email to set up an account, even ones that allow Facebook or Twitter for logging in. So why have any password at all? For that matter why bother with Facebook or Twitter?
To log in, enter your email address. The site sends an email. Check your mail. Click on the link. On clickthrough, set a cookie. Whenever there isn’t a cookie, go through the process of sending an email and clicking on the link again.
http://gonze.com/blog/2007/09/11/a-hack-for-passwordless-login/
:-)
BrowserID can kind of be thought of as an enhancement of this idea.
Ouch.
For my new thing I’m actually using this email-only, no password, approach. I doubt I’ll get away with it but haven’t yet discovered the fatal problem.
From time to time, some folk may use someone else’s PC (cybercafe) and for such cases not everyone has ensured they can always access their e-mail via the web. It is also possible that e-mail may take well over 5 minutes to arrive. Not exactly a ‘fatal’ problem tho.
You could ask people to leave their mobile for such an eventuality, when a PIN can be sent to it.
Oauth has a usecase for situations where you need to login to an app but can’t access email. For example a Roku app. What you do is have the user log in with a different device, like a phone or a separate PC. A PIN sent via a text message is a good example of a side channel.
I would just say that this is an application-specific issue, and it’s an edge case.