[MobileVet]

It’s a pretty animation... so nice work on that front.

Regarding login in general, people are done with passwords. From a security perspective they are worthless in most situations. From a user perspective, no one wants to make a new one or remember a different one, so they reuse them.

The good thing is this greatly simplifies the flow.

1) Ask for the email address. 2) check it against your system 2a) user found -> send auth email link 2b) no user, make a new one

Done. 2 steps, no passwords, no double path / flow

[pfranz]

I think that's rather bold to say "people are done with passwords." Personally, I find them rather annoying. I don't like bouncing between apps. The email login link often opens a new tab/window, too. When the email doesn't show up immediately I question what one of five things could have gone wrong? Is it my fault or their's?

I also can't see how this would be more secure (outside of knowing they reuse the same password everywhere). If they hijack your e-mail they login without warning since that's the normal flow. If they use your email to reset your password, both the service and the user get informed there was abnormal access.

[MobileVet]

Sorry... people ‘should’ be done with them, but that is my bias towards security.

Your email is probably linked with just about everything you do. I would suggest you ensure it has a 16 character random password with 2 factor auth. If someone gets in, they own everything so treat it accordingly.

Also, what apps beyond banking or health do you log out of?

[pfranz]

Accounts just seem to accrue. My password manager has over 500 items. I tend to uninstall phone apps I don't use after a few months and reinstall them as needed. I also hop between a computer and phone and iPad or between app and website, each requiring me to login again.

I also appreciate being able to log into an account on an untrusted computer without having to log into my email.

[BiteCode_dev]

I see many problems with that:

- if you change your email address, or have any problem with it (oups, google has blocked you again!), you can't log in. Have been bitten by this when myopera.com closed and I couldn't access my old email. I lost some accounts.

- emails are clear text, so bots can intercept a login link and use it

- if you want to share the account with somebody, you gotta give them access to your email

- I don't want my inbox to be polluted by 15 login email every day

- using my password manager is much faster than doing this

[MobileVet]

We always include a backup code in the email you can manually paste in.

Do you need to login to things repeatedly? I mean, sure your bank... but what else do you log out of?

You and I use a password manager... but are they mainstream? My parents sure dont

[BiteCode_dev]

> We always include a backup code in the email you can manually paste in.

It's going to help me with any of that. Can't access backup code if email is closed. Won't prevent bot from stealing the account. Won't help me with sharing the account, I'm not going to give the backup code to the person every time they need to login.

> Do you need to login to things repeatedly? I mean, sure your bank... but what else do you log out of?

Banks. Stuff for which you have several accounts on the same service (I have 11 email accounts, 4 github accounts, 3 HN accounts, 3 reddit accounts). A lot of people have at least 2 fb accounts, one official and one personal, and most of them don't know about browser containers.

> You and I use a password manager... but are they mainstream? My parents sure dont

No, and I expect they will never be. Auth is not a solve problem.

But email links are not the solution. At best, one login option, and a good way to start off.

Password auth should always be offered. It's the most neutral, balanced, resilient, privacy friendly, interoperable stuff we have for now.

[MobileVet]

Thanks for sharing, lots of good thoughts.

I definitely don’t use this method for security conscious content / apps. Mostly for simple stuff with minimal to no private content.

[MobileVet]

Also... can you expand on ‘bots can intercept a login link?’

You would have to be actively engaged with a ‘man in the middle’ for this to be an issue. Am I missing something.

[BiteCode_dev]

Same reason people push for HTTPS everywhere.

[somishere]

Passwordless is great until it's not. You tend to need to be on same device / browser as your email for it to work seamlessly. It also adds mental debt, in that many multiple actions are required to proceed (personally find myself with irrational logout fear thanks to this).

Appreciate it seems like it answers all the questions but I think, in the end, it talks more to the developer than the user.

I say this as a major proponent of smarter 'dumb' auth, an earliesh adopter with passwordless, plus having run it as the primary login mechanism on a site with 25-150 new signups / day for nearly three years.

Looking forward to more widespread adoption/availabilty of webauthn, embedded (consumer) security features, etc.

[WhyNotHugo]

A password manager is way faster. It's just one tap.

The email flow is slower. I need to switch apps, wait for the email, open it, click on the link.

[kevindong]

From a simplicity perspective, I'd prefer a text message with a 6-10 character numeric code that can be auto filled with one tap.

Aka the Lyft model (they probably didn't come up with it, but they're the main example that I can think of off the top of my head).

[MobileVet]

Sure... text is fine but easier to hack typically. For low sensitivity, it is probably faster than email.