Why we don’t use passwords

Before we set out to build Finimize MyLife there were a lot of big decisions that had to be made. Many dealt with the product itself — but many involved how to actually craft it.

Things like how we structure our data, what languages/tools to use, how to architect the site, and — last but certainly not least – how to handle security.

 Finimize MyLife deals with something people hold very close to their chests: their personal finances. Our goal from the outset was to structure our approach in the most modern and most secure way possible.

That’s why we don’t use passwords.

When you think of it, a password, at least in the way 90 per cent of the population uses them, is incredibly insecure. Just check out this list. It’s usually a basic string of characters that is inherently both short and simple enough that someone can remember it (cat’s name, 1234567, “p@ssw0rd” etc.) What’s even worse, people often use the same password across multiple sites.

Yahoo just announced that one billion of its accounts were compromised all the way back in 2013. It’s a safe bet that one billion people didn’t think to have a unique password for just their Yahoo account.

Of course, there are password managers out there that can help create stronger passwords, and habits (like changing your password often) that can improve security — but the reality is most people can’t be bothered.

Taking a step further

So what’s our solution? To quote some other great writing on this:

‘The basic idea is that instead of using a password to authenticate each user, a temporary secret code is sent to them over a secure channel. Email or SMS is that (mostly) secure channel. It’s almost as if the backend server makes up a temporary, one-use password each time a user wants to log in and whispers it in their ear.’

Today, most people see this referred to as “two-factor” authentication: you enter your password on a site, and it sends a message with a link to make sure the person is actually you.

What we (and some other cool companies (like Slack, Twitter, and Medium) have done is take that one step further by removing the password from the equation entirely. Instead, we send a time-sensitive link to your email that securely logs you in.

The funny thing is, the logic is the same as any time you’ve reset your password on a website — except now you don’t have to come up with a new one (and we don’t save it to a database).

The benefits are clear:

  • We don’t store passwords, so they can’t actually be stolen
  • You don’t have to remember a username or password; only your email
  • No one can ever guess how to get into your account
  • We can verify who you are based on your email address
  • It’s quicker /easier for you to sign up (and sign in)

So yeah, we don’t just try to simplify and improve finance, we also apply those principles to our tech and security.

Max Rofagha, founder and CEO of Finimize
Image source: Shutterstock/scyther5