Hacker News new | ask | show | jobs
by borplk 1929 days ago
One big flaw with login links sent to email is the delivery problem.

You can't assume the email will be delivered so quickly.

Who wants to get locked out of their account because the email has not arrived?

Login links can be a convenience feature but they must not be the only mechanism for login.
2 comments
toddh 1928 days ago
How about a code delivered through SMS? Especially for mobile apps?
link
borplk 1926 days ago
Same problem. A good login mechanism needs to rely on a "previously agreed upon" mechanism to perform the login and not break because an SMS or email is delayed. A password works this way. TOTP/HOTP 2FA also works this way.
link
postalrat 1929 days ago
The trade off is higher security vs sites with passwords or an reset email option.
link
sontek 1929 days ago
How are magic links higher security than passwords + two-factor auth? A magic link gives an attacker the ability to compromise any sites using magic links as long as they get access to the e-mail.

2fa + password means they could compromise the e-mail and still not be able to reset a password without the TOTP.

Social Auth is even more secure than magic links because the larger companies like Facebook and Google have already implemented SECURE 2fa and they've also implemented IP / Computer tracking so that if abnormal authentication happens you have to go through better verification.

If a magic link gets opened from Argentina when the user traditionally logs in from North Dakota, are you blocking that until they go through more verification? If not its not more secure.

link
postalrat 1929 days ago
I'm comparing magic links alone to passwords plus an additional reset email. Magic links with no passwords will be more secure.

If you add 2fa to passwords and keep the email reset then magic links alone will still be more secure.

link
bhargav 1929 days ago
Password reset ~= Magic link. The risk profile of this is no different than a password reset with no fallbacks such as 2FA.
link
sontek 1929 days ago
I had to google "~=" had no idea some languages use that for "not equals" instead of !=.

I've only found lua and MATLAB that use it but its interesting to understand. I was super confused on what you were trying to say.

link
Osiris 1929 days ago
I thought he meant "about equal" as I've always used tilde to me about/approximately.
link
sontek 1928 days ago
Maybe he can clarify. I don't want to assume he meant "not equals" but thats what I found on google
link
postalrat 1929 days ago
I'm comparing passwords with an email reset vs magic links with no password in my comment.

Magic links will be more secure.

link