🔒️Upcoming Change: Passwordless Login for Instructors🔒️

Hey instructors,

In the coming days we are going to change the way you log into Udemy. As it stands, you are asked to enter your email address and password followed by a MFA one-time code, which is sent to your email which you need to validate in order to access the platform.

Our goal is to reduce the number of steps it takes you to log in while also improving the security of our platform. That is why we are going to roll out passwordless authentication for our instructors, which is currently live for our learners.

What does this mean for you?

You will no longer be asked to enter your email & password followed by an MFA, instead, you will be asked for your email and an MFA code only
There will be no need to remember passwords to log in*

What's the benefit of this?

Less friction for you as we are removing authentication steps
Improved security for Udemy as passwords are generally weak and targeted by bad actors
A stepping stone towards more enhanced security measures which Udemy would like to implement, such as SMS, biometric and/or passkeys authentication

* The email/password flow will remain active for some time as a fallback when needed.

Teach on,

Ryan

Find more posts tagged with

Comments

EBodhisathva

Hi,

This change is more annoying. Every time we need to login to 2 apps to complete what is supposed to be a single login process. How is it better than just typing email and password?

We haven't seen this kind of strange model anywhere else.

Rahul Iyer

Nice, thanks for the update @RyanJaress :-)

LizBrownUX

So we still have to check our email to get a code every.single.time….?

peter_dalmaris

Thank you Ryan. Perhaps looking into Passkeys will reduce friction further.

MrHJ

@RyanJaress

Could the new proposed user-register solution create the possibility of serious arbitrary security breaches at Udemy?

For example; https://news.ycombinator.com/item?id=18939221 (Hacker News) "On the topic of old email addresses, make sure your old email provider doesn't release your email address after so many years / months. This is a common way to get access to accounts by creating a new email account with the same address as an expired address and then using an email-based password reset to gain access to the account."

"This is really a big problem since one is forced to keep old addresses active and around. But your email provider, even if it’s a paid service, may have stupid policies to recycle addresses very soon and may not make exceptions for you."

Problem example description:

Larger instructor accounts may have 10k-10M registered users. Udemy has a recent history of security breaches, disgruntled employees, employees causing the company damage, serious complaints about employees related to code and functionality, and hackers even docking the Udemy site, creating their own Udemy site on top of Udemy and collecting the paid monies.

A. If a "hacker" were to obtain such an instructor's client database with emails, it could simply check if the emails are active with a simple loop and try to register new emails wherever the email is bounced or not delivered. Even if 5% of the mail addresses are recycled, the new system results in a serious textbook danger to all instructors as the hacker could cause arbitrary damage to the instructor and Udemy.

B. Some old email history stats from a larger US e-mail deliverer show that emails tend to become inactive at around 10% per year. Few addresses remain active after 5 to 10 or 20 years.

Customer example description:

A Family likes Apple, 4 people buys 6 new AppleID devices per year. While Apple certifies that no original iCloud addresses for AppleIDs are ever recycled, they also provide every AppleID account with 3-1k iCloud aliases. These aliases are recommended for use with inter alia Udemy or any businesses or any internet activity nowadays. For these aliases, Apple certifies no promise or contractual binding, implicit or explicit, that states that aliases won't be recycled, reused, or reactivated if abandoned or permanently deleted, as often happens when a new AppleID device is purchased, such as a computer, iPhone, tv, or iPad. (Apple is considered a very safe, high reputation email provider).

Proposed solution: the Password option should remain and also be enforced. And while e-mail could be made sufficient to login to an account using the proposed solution, making any changes should require a password.

Regards

FrankKane

Ryan said "The email/password flow will remain active for some time as a fallback when needed." Maybe they already know which instructor emails are bouncing, and are retaining password authentication for those cases.

There's no evidence that our email addresses have been compromised anyhow, but I suppose anything's possible.

AHardin

I'm not the biggest fan of passwordless authentication, but it works and it seems many online apps and services are moving towards that direction with OTPs, magic links, QR code authentication, etc.

I think the biggest drivers for Udemy doing this is are:
1) User convenience: The 73+ million students no longer have to remember passwords.
2) No more Password-Related Tickets: Removes the burden of dealing with password reset issues, and inevitable service desk tickets for people with password-related issues.

So long as your devices with access to your email accounts and your email accounts themselves don't get compromised, you're fine - but the moment they do, your account can get compromised.

I've been using it with my Udemy accounts (student and instructor accounts) for awhile now without any issue. But I'd prefer traditional MFA with both my password and a OTP (at least for instructor accounts) because the risk landscape for instructors (especially the largest accounts who make 5-figures monthly) is much higher than for students. And for sensitive account changes, I'd hope Udemy now implements a secondary authentication process, such as changing your instructor account's bank and tax information.

FettahBen

You try to shorten the process but making it logger, I remember one time after login from my phone using password and asked for confirmation, i didn't have access to my email and i need to power on my laptop and check the email password from my ROBOFORM software to confirm login,

IF you didn't add password in Udemy you add it in your email provider.

CarlosDeLeon

"You will no longer be asked to enter your email & password followed by an MFA, instead, you will be asked for your email and an MFA code only"

What method will be used to deliver the MFA code to the instructor? I don't mean "some day", I mean right now that the change is going to go live for instructors.

I hope it is not email, otherwise, it does not make any sense to mention this as a benefit:

Improved security for Udemy as passwords are generally weak and targeted by bad actors

At the moment, if the email account of an instructor gets compromised (which is not rare. Email is not secure), at least the attacker needs to know something else (the Udemy account's password). How does removing that second measure without improving the MFA delivery method improve security?

I don't know of any serious company that delivers MFA tokens by email, and now Udemy is making that the only factor used to authenticate?

Come on.

RyanJaress

Hi again,

It's great to see a conversation happening around authentication and security and appreciate your input. I am following up by responding to some of your comments and adding more context.

Regarding needing to leverage two apps in order to login and adding steps to the process instead of reducing it.

We already have email verification in place for most instructors as part of multi-factor authentication (MFA). Right now, most instructors log in by entering their email and password, and then confirming a code we send to their email. The move to passwordless login is focused on these users.

If you don’t currently have MFA turned on, you’ll notice we’re now asking you to verify your email. We know it’s an extra step, but it’s an important one to help keep your account secure.

Traditional passwords are often weak, reused, or targeted by attackers, and our data analysis confirms a clear trend of weak passwords across accounts. By removing the need for passwords, we are strengthening overall security and, as we've shared previously, putting ourselves in a better position to continue improving our services.

Instead of relying on passwords, we send a code to your email address, which not only verifies that you have access to your account but also adds an important layer of protection. We understand some might wonder: if email access still relies on a password, aren't we just shifting the risk? It's a fair question. Typically, email providers offer stronger security measures—such as multi-factor authentication (MFA) and requirements for more robust passwords—making them a more secure point of access. By relying on these stronger protections, we can better safeguard your account without the weaknesses traditional passwords introduce.

Leveraging passkeys

Peter makes a great call out and I’m pleased to say it's on our roadmap. Passkeys are a passwordless authentication method that uses cryptographic keys stored on your device to log in securely. Instead of entering a password, you authenticate using biometrics (like Face ID or fingerprint) or a device PIN, making login both faster and more secure. Since passkeys can’t be easily stolen or phished like passwords, they provide strong protection against common cyber threats.

Addressing concerns of security

For as long as you have your account with us, you can rely on the email address associated with the account for access to our platform.We have a number of checks in place to ensure that the email address is accurate and deliverable but also have processes in place to support you if you lose access at a certain time once you can verify your identity.

To clarify our position, we are changing our first form of authentication initially to code via email to remove the password requirement. We are launching SMS authentication shortly after and will be expanding into biometrics, passkeys later this year.

With all that said, we understand that adjusting to a new flow takes time, and we’re closely monitoring feedback to ensure a smooth experience for everyone. If you have any specific challenges with the new login process, we’d love to hear more so we can improve.

Hope this answers some of your questions!