| Good diagrams, as is needed in any authentication flows where the devil always end up lurking in the details! But I have a general concern on passwordless. We recently tried switching a SaaS app to Firebase passwordless but it has been a support nightmare. Typical error cases: a) User has to wait many minutes for email b) User never finds the email c) User clicks to get another email, invalidating the first, then clicking the first d) User tries to re-use old sign-in emails to get in again many days later e) User gets confused as to whether they are supposed to have a password or not, or other forms of sign-in vs passwordless At best, these problems amount to some support work and user friction. But in the worse case, for the not so tech-savvy users, they become a complete blocker to using the product. Of course, we cannot track deliverability when the emails are sent by Firebase so we can't really see how often there are problems. Are we just unlucky, missing something obvious or is passwordless a poor bandaid on the auth problem (hey, webauthn?) |
That could result in private user content being indexed by the crawler if it's not configured correctly, or if it didn't realise this.
This also introduces another complication on figuring out whether the user clicked it twice, or whether one click was actually the email server provider doing some "scanning" by clicking all the private links in the email...