[filmgirlcw]

I think as Ricky wrote last week [1], they should augment Magic Links or other auth methods. There are some positives about Magic Links for sure (though I don't know if making your email an even stronger attack vector is necessarily one of them), but for people who use a password manager, for example, they are a definite friction point that I think passkeys most certainly could alleviate.

There are definite UX problems around passkeys that could be improved and I think exporting will make syncing across systems a lot better (one of the reasons I use 1Password as my primary password and passkey system is so I can use my passkeys across devices; of course it helps that my employer uses 1Password as our system so I am logged into my personal and enterprise accounts and can auth then from personal or work devices, provided additional auth or enrollment isn't needed) -- but if the problem as 404 defines it is that they don't want to be responsible or even have to worry about storing your passwords/auth controls, I think passkeys is at least better for a subset of users than Magic Links.

But again, like Ricky, I don't think it should be viewed as either or. It should be both.

[1]: https://rmondello.com/2025/01/02/magic-links-and-passkeys/

[lolinder]

Thank you for the link! I saw your other comment and actually edited mine to point to that, because it's definitely the answer to my question!

> though I don't know if making your email an even stronger attack vector is necessarily one of them

I'm unconvinced that magic links do make your email an even stronger attack vector. Essentially every service that would be inclined to use magic links would already have a way to reset your password entirely once the email is compromised. All magic links do is make this the primary way to interact with the auth flow.

The bad guys already know that your email is the best target. Magic links just make that very explicit.

[filmgirlcw]

>The bad guys already know that your email is the best target. Magic links just make that very explicit.

That's a good point. I guess my rationale is that it being explicit makes me feel less comfortable for my parents/non tech-savvy friends, who already may not follow best-practices for email hygiene (and may not use email providers that enforce stricter hygiene like 2FA or other methods of protection) and thus, systems like this, make their email even more explicitly the ultimate place to go for access to stuff.

[notatoad]

>feel less comfortable for my parents/non tech-savvy friends, who already may not follow best-practices for email hygiene

making people feel less comfortable is probably a good thing.

i've managed to convince my dad to start taking his email security more seriously by reminding him a few times that if somebody gets access to his email, they can reset his password on every site where he uses that email address. it's good to remind people of why email security matters, and that it's not just about the personal messages from friends.

[adastra22]

> Essentially every service that would be inclined to use magic links would already have a way to reset your password entirely once the email is compromised

Well, don't do that.

[lolinder]

Do you have an alternative proposal for letting users back into their accounts when they inevitably lose their passkey? Because if you don't, this isn't a serious answer.

[adastra22]

Password, not passkey. Recovery codes should be setup on account creation, but recovery of the password manager itself is what is required, and that usually has its own recovery mechanism.

Social key recovery is an underutilized solution as well.

[madeofpalk]

How do you do account recovery when you lose a password or MFA token?

Of course, any website's auth system is as weak (or strong) as their recovery process. Different sites will implement this differently.

[lolinder]

Typically by email, which OP says "don't do".

[adastra22]

> There are some positives about Magic Links for sure

Like what? I'm failing to come up with a single benefit (for the user).

[apitman]

Not needing to remember passwords or use a password manager.

[adastra22]

Password managers are now built into every operating system / browser, with trusted encrypted sync capabilities. The UX of using the built-in password manager is better than that of a magic link.