[mojuba]

In one of my current web-based projects I decided to experiment with magic links sent via email. They are pretty convenient (and secure enough) but turns out there's a problem with mobile email clients: they tend to open links in isolated embedded browsers and then forget the cookies. For most non-technical people this is a show stopper unfortunately.

I then went with one-time 6-digit sign in codes that are emailed to the user. These are secure enough if done right, but now I'm wondering if they will feel secure to the users.

P.S. I might change it to a one-time alphanumeric code, which should feel more secure.

[GoblinSlayer]

You know that the opened token is linked to the initial client session. You can unblock that session and the user can proceed in the non-isolated browser. You have this workflow with codes anyway: the user must open an email then go back to the browser and type in the code. With the link you will save on the typing.

[mojuba]

Interesting! (I searched, even asked on SO, couldn't find any solution for this). So to elaborate: I first store a nonce in cookies as a login session token. Once the code is validated somehow, I unblock it on the backend, and on a first chance also set my main JWT cookie if not yet set. Excellent, that solves it!

P.S. Unless there are some security implications - need to think about it a bit more. Thanks!

[kevincox]

I find this way less convienent because my password manager automatically fills in my username and password. So I can log in with 1 click. With "magic links" I need to enter my email (which may be autocompleted, but it is much less reliable) and then wait for the email to show up. (Assuming I have my email available.) Also email is never going to be reliably "instant" spam techniques include bouncing an email and waiting for a retry which is going to frustrate users and slow down login.

Additionally my security is now tried to the email I use which may be undesirable.

So I see why this exists, but please consider also supporting username+password at least until something else browser-integrated comes along.

[mojuba]

I know but it comes at a price of some users who don't use a password manager setting silly weak passwords.

In one of my mobile apps that manages KeyChain user/passwords correctly, I still see a lot of password reset requests. I can't even think of a reason why people would ignore autofill so often. The result is, although I haven't checked, but wouldn't be surprized if there were still a lot of "password123"'s in the DB.

So neither are passwords a good option, it seems.

[nybble41]

Don't let the user set the password, just assign them something random. If you let users pick their own passwords some of them are guaranteed to pick insecure ones (i.e. anything which isn't random and unique to that site).

Though frankly we should be able to do far better than one-off shared secrets for each account. WebAuthn, for example, with the browser as the authenticator, protected by either a client-side master password or biometrics. That would be at least as good as a password stored in a password manager, with the advantage that the user doesn't need to store (and sync) unique passwords for every site. To log in from a new device just enroll a second authenticator.

[krupan]

My experience with password managers is that it works that well on about 10% of websites/apps, and I have to resort to copy and paste from the password manager everywhere else. It's not that great

[mojuba]

10% is pretty low though. In my case Safari does it right in maybe 80% of cases. However the ones (websites and apps) that do it wrong can be very annoying.

[kevincox]

That seems incredibly low. Using Firefox's built-in password manager I definitely get >90% of sites. The only site that I use frequently where it doesn't work is my bank because the "card number" isn't recognized as the username.

But even copy-paste isn't too difficult. Roughly as much clicking as the magic-link solution in my experience.

[BeFlatXIII]

Having to check my e-mail for each login is a major annoyance. Perhaps something like SQRL[0] may help.

[0]: https://sqrl.grc.com/pages/what_is_sqrl/

[jsmith99]

How is this better than oauth (assuming you use a provider who doesn't have or doesnt share your real name).

[krupan]

More annoying than passwords?

[perryizgr8]

Of course. I can type a password from memory, or it can be auto-filled by the browser/password-mgr. No interruptions before signing in. Having to open email inbox means switching tabs/context.

[krupan]

You never forget a password and/or your password manager generates passwords and auto fills them with no hiccup for every website and app out there? Also changing passwords when a site policy requires it or when (not if) a breach happens? Because that is NOT my experience.

[perryizgr8]

Yes, occasionally there is a hiccup with the password system. But email link or code is disruptive and irritating 100% of the time.

[BeFlatXIII]

My password manager fills them in for me. E-mail means switching tabs and remembering which account I used to sign up for the service to know where to check.

[voiper1]

Sometimes the magic links or codes expires in X minutes. That helps them feel secure.

But like password resets, you're hosed if your email is hacked (unless you have 2FA).

[mojuba]

Not only expiration, you also limit the number of attempts, the IP address, you verify an additional nonce token generated for the specific request, etc.

The security of your email is typically taken care of by a more sophisticated system like GMail, that will do captcha, they remember your geographic region, your habits, etc.

Given the above, I'd say alphanumeric one-time codes are better in terms of entropy and feel. They look like passwords but you don't need to remember them.

[krupan]

So, no worse than passwords at all

[saltyfamiliar]

I don't use a password manager and my email account is by far one of my most secure accounts so I actually love signing in to things like this. It beats having to remember another battery-horse-stapler type password. For more paranoid users you could add a 2FA option.

[perryizgr8]

> one-time 6-digit sign in codes that are emailed to the user

> I'm wondering if they will feel secure to the users

I don't know about secure, but most users will feel extremely irritated for sure.