Don't think less of Passwordless

Published on: 2025-1-3 Don't think less of Passwordless

Wide Angle Analytics does not use passwords. Managing passwords—though a technically solved problem—remains a serious security issue. That’s why we use Magic Links. And while the name suggests otherwise, Magic Links are not actually magical: they’re just robust, time-sensitive links delivered via email.

This post was inspired by a recent article in 404 Media. 404 Media is a new independent media company founded by technology journalists Jason Koebler, Emanuel Maiberg, Samantha Cole, and Joseph Cox.

404 Media and Ghost

404 Media runs on Ghost, a great publishing platform designed for creators and writers. It’s fast and a joy to use, both for authors and readers.

Just so that you know, you can easily add privacy-fist Wide Angle web analytics to your Ghost site. Just follow this short guide.

Fun fact: the digital-nomad-themed videos by John O’Nolan, one of Ghost’s founders—together with the early stories of Peter Levels—were what originally drew me into the gaping hole that is entrepreneurship.

Back to Magic Links

If you want a great primer on Magic Links, check out the referenced article. In this write-up, I’ll provide our justification for using Magic Links instead of passwords.

Firstly, convenience

To sign up for Wide Angle Analytics, you only need to provide an email address. No password. No complex CAPTCHAs. We even have a custom Proof-of-Work CAPTCHA that costs you, the human, only a few milliseconds or a couple of seconds. That’s it.

A simple form. One field. You literally cannot make it simpler—well, OK, you can with Social Logins, but those inherently violate users’ privacy and thus aren’t acceptable.

Secondly, security

Security is a much more complex aspect of this discussion. We can break it down into three areas:

Email as an identity provider
Multi-Factor Authentication
Password complexity and encryption

1. Email as an identity provider

Your email is—or at least should be—your most secure internet property. It’s how you create most of your online accounts, communicate with vendors, and even interact with government and state bodies. It’s also often your last line of defense, as it’s used in the password reset process.

No matter if you’re using your email for Amazon shopping or to sign up for a web analytics SaaS platform, it needs to be secure.

2. Multi-Factor Authentication

In the year 2025, a service that doesn’t offer 2FA or MFA—whether via one-time codes (TOTP), SMS tokens, or hardware security keys—should be frowned upon.

Your email absolutely needs to have 2FA. If it doesn’t, migrate as quickly as you can.

If you combine the importance of email security with the fact that you log in via a link delivered to your secure mailbox, Magic Links hit a sweet spot between forcing you to scan yet another QR code in an app like Google Authenticator or Microsoft Authenticator and having no MFA at all.

Magic Links cannot be stolen or spoofed. They often have a short expiration window (10 or 20 minutes at Wide Angle Analytics) so they can’t be reused. They rely on your ownership of the email as proof of identity—something you know, something you own, and something you can access.

3. Password complexity and encryption

As mentioned earlier, password encryption is, for the time being, relatively easy and well understood. We have strong algorithms and battle-tested libraries at our disposal.

And yet password breaches continue to happen, and vast databases of extracted, hashed passwords serve as gold mines for malicious actors.

The sad truth is that passwords are still notoriously reused:

A study of 28.8 million users found that 52 percent of them reuse passwords.

(Source: 404 Media)

So no matter how strong your encryption is, a password retrieved from another service—entirely out of your control—can be used to breach user accounts.

My late father relied on a single, simple dictionary word (no numbers or special characters) for practically every online service he touched. He is not an outlier.

This brings me to the last reason Wide Angle Analytics uses Magic Links.

Compliance

The GDPR does not explicitly spell out which technical measures to use for data security, but it’s clear on one point: you must practice data protection by design and by default.

The data controller (i.e., us, the service provider in simplified terms) must implement appropriate technical and organizational measures to protect and secure personal data.

Hence, because

We can’t ensure our users haven’t reused their passwords, and
We can’t expect every user to set up TOTP two-factor authentication

…the only logical step was to rely on short-lived Magic Links.

After all, if a user’s email is compromised, it’s game over on so many levels that access to web analytics is probably the least of their worries.

Criticism of Magic Links

Some criticisms overlap with points raised in the 404 Media article. Again, please give it a read.

Passwords can be safe—just use a password manager

Contrary to what the Hacker News or Reddit crowds might lead you to believe, not everyone uses a password manager.

One study shows that only 23% of adult Americans use password managers, while another study suggests that worldwide this number might be closer to 60%.

Email arrives late or never

Similarly to 404 Media, we can safely conclude that issues with email deliverability are outliers. In almost all cases, the login email arrives in just a few seconds.

Still, how big a delay you can tolerate depends on the product or service. Time-critical services like IT monitoring platforms or financial tools—and their users—might be less patient, even with a delay of just a few seconds.

I don’t always have my email handy

Whether your email is on your corporate laptop or not configured on your mobile device, lacking email access can be genuinely frustrating.

I sympathize with those who need specific workflows, hop between devices, or face organizational processes that limit access.

Wide Angle Analytics is predominantly a product for business customers. It’s not designed for 24-hour usage with constant refreshing or scrolling. It’s meant to collect data quietly, deliver reports and insights, and generally get out of your way.

In that sense, a minor snag due to temporary lack of email access seems acceptable.

What our users think

We see a full spectrum of customer responses to Magic Links.

One group honestly doesn’t mind—Magic Links just work for them.
Another group is surprised or worried about the lack of passwords. So far, we’ve met with understanding and acceptance (though I’ll admit the line between accepting and grudging acceptance can be thin).
Lastly, there’s a group that refuses to use the service. In a Venn diagram, these are often the same folks who prefer to log in with Google Social Login.

Way forward

We’re not operating in a vacuum. I won’t pretend the solutions at Wide Angle Analytics are perfect and final. We take criticism very seriously and believe there’s merit to it.

While we still stand by Magic Links as a safe, secure, and low-friction approach, we’re also implementing password support. Given our security reservations, however, users will have to choose between Magic Links and passwords with mandatory 2FA.

Safety and privacy protection for our customers and their data remain a core tenet of our business.

Looking for web analytics that do not require Cookie Banner and avoid Adblockers?
Try Wide Angle Analytics!

FREE Trial!

Author: Jarek Rozanski

Jarek Rozanski is the Founder of Wide Angle Analytics. After a successful career in investment banking and financial services, he decided to explore the world of start-ups and eventually start his own. Privacy, one of our basic human rights, needs strong protection according to Jarek.