|
|
|
|
|
|
by mmgutz
1092 days ago
|
|
|
The big auth companies have been really good at creating those "Don't roll your own auth EVER!!!" articles. You're not alone. I take it a step further and don't deal with passwords. I use login through email, in which I send a nonce to the user's email. The users enter that nonce to log in. This is what many online bank apps do. That reduces the security surface area to CSRF, securing cookies and session expiry. Most popular frameworks should handle that part of it. |
|
|
Initially people told me to use a login link or 'magic link'. However it quickly became clear that they also wanted to receive the code on a different device to the one they logged in with.