[postalrat]

The trade off is higher security vs sites with passwords or an reset email option.

[sontek]

How are magic links higher security than passwords + two-factor auth? A magic link gives an attacker the ability to compromise any sites using magic links as long as they get access to the e-mail.

2fa + password means they could compromise the e-mail and still not be able to reset a password without the TOTP.

Social Auth is even more secure than magic links because the larger companies like Facebook and Google have already implemented SECURE 2fa and they've also implemented IP / Computer tracking so that if abnormal authentication happens you have to go through better verification.

If a magic link gets opened from Argentina when the user traditionally logs in from North Dakota, are you blocking that until they go through more verification? If not its not more secure.

[postalrat]

I'm comparing magic links alone to passwords plus an additional reset email. Magic links with no passwords will be more secure.

If you add 2fa to passwords and keep the email reset then magic links alone will still be more secure.

[bhargav]

Password reset ~= Magic link. The risk profile of this is no different than a password reset with no fallbacks such as 2FA.

[sontek]

I had to google "~=" had no idea some languages use that for "not equals" instead of !=.

I've only found lua and MATLAB that use it but its interesting to understand. I was super confused on what you were trying to say.

[Osiris]

I thought he meant "about equal" as I've always used tilde to me about/approximately.

[sontek]

Maybe he can clarify. I don't want to assume he meant "not equals" but thats what I found on google

[postalrat]

I'm comparing passwords with an email reset vs magic links with no password in my comment.

Magic links will be more secure.