|
|
|
|
|
|
by weikju
653 days ago
|
|
|
> And most implementations I've seen only log you in from the new link the email sent, not the original page. Probably because: - Bad actor A attempts to login
- User B sees the email and unthinkingly clicks the magic link
- Bad Actor A now has access. There are probably ways around this (browser session/cookies/IP/etc must match?) but that'd be a common enough scenario... Common enough that e.g. Microsoft Authenticator switched from sending a notification that you can tap to approve/reject (same as scenario above) to needing to enter a 2-digit code that you also see on the webpage (so without seeing Bad Actor A's page you cannot enter the code and approve their login). |
|
|