[airhead969]

You can't "solve" passwords because authentication requires something you have or something you know. Not everyone has email, magic links by email are insecure, and it defeats the ubiquity of password managers and keychains. There's no eliminating private keys or passwords anytime soon because it's a utopian aspiration wishing away first principles.

What can happen is better federated SSO using OAuth2 like Apple, Google, FB, Github, and/or similar for web applications to defer or eliminate yet another mandatory password.

[hprotagonist]

>What can happen is better federated SSO using OAuth2 like Apple, Google, FB, Github, and/or similar for web applications to defer or eliminate yet another mandatory password.

Then you get locked out of like 9 things at once when {you ragequit github for political reasons and forget to migrate everything, google kills yet another thing, google locks your account for funsies, apple locks your account until your macbook pro refund is processed correctly,....}

[loceng]

Security requires good governance and trust - and ultimately realizing that everything connected online can and will likely be breached - and so if something is important enough, the design should be that it never touches the network. I personally don't fear any of my history or life coming out if it were - at least at this point, and in reality if security becomes a real concern due to well, tyranny and the universal battle against bad actors/evil, then my current location would be the only thing I'd ultimately not want known - and so you simply stay off grid then.

[xg15]

> Security requires good governance and trust

Neither of which the web currently has.

[loceng]

Arguably true.

[jitl]

I think magic links can be quite secure, and for spike.sh most users will have a company provided and company managed email account. There are also techniques to make magic links more secure, like pinning them to the browser/device that requested the log-in using a cookie.

I think passwordless-only is a bad call for the consumer market. Notion ran passwordless for years but we dealt with constant issues of users losing access to their email and having no (easy for them) way to prove ownership of the related Notion account. We switched to normal password accounts.

[pugworthy]

The premise is that what you “have” is unique (and thus secure) access to your email.

It bears the same risk of the unique access being lost as having unique access to your finger for finger print scanning, minus the risk of physical injury on compromise.

[raverbashing]

Magic links and federated emails have the same points of failure. If you got their email password you're in

And I don't like federated emails because I can't tell Google (I can tell FB, ironically) that I don't want all my data shared with the service I'm logging in with (some services like Samsung phone stuff wants to get everything)

So thanks but I'd rather only share an email/password in some cases

[postalrat]

Personally I'd rather them support magic links than support only google login, only apple or facebook, only github, etc. Nobody supports all of them.