Hacker News new | ask | show | jobs
by lolinder 526 days ago
Thank you for the link! I saw your other comment and actually edited mine to point to that, because it's definitely the answer to my question!

> though I don't know if making your email an even stronger attack vector is necessarily one of them

I'm unconvinced that magic links do make your email an even stronger attack vector. Essentially every service that would be inclined to use magic links would already have a way to reset your password entirely once the email is compromised. All magic links do is make this the primary way to interact with the auth flow.

The bad guys already know that your email is the best target. Magic links just make that very explicit.
2 comments
filmgirlcw 526 days ago
>The bad guys already know that your email is the best target. Magic links just make that very explicit.

That's a good point. I guess my rationale is that it being explicit makes me feel less comfortable for my parents/non tech-savvy friends, who already may not follow best-practices for email hygiene (and may not use email providers that enforce stricter hygiene like 2FA or other methods of protection) and thus, systems like this, make their email even more explicitly the ultimate place to go for access to stuff.

link
notatoad 526 days ago
>feel less comfortable for my parents/non tech-savvy friends, who already may not follow best-practices for email hygiene

making people feel less comfortable is probably a good thing.

i've managed to convince my dad to start taking his email security more seriously by reminding him a few times that if somebody gets access to his email, they can reset his password on every site where he uses that email address. it's good to remind people of why email security matters, and that it's not just about the personal messages from friends.

link
adastra22 525 days ago
> Essentially every service that would be inclined to use magic links would already have a way to reset your password entirely once the email is compromised

Well, don't do that.

link
lolinder 525 days ago
Do you have an alternative proposal for letting users back into their accounts when they inevitably lose their passkey? Because if you don't, this isn't a serious answer.
link
adastra22 525 days ago
Password, not passkey. Recovery codes should be setup on account creation, but recovery of the password manager itself is what is required, and that usually has its own recovery mechanism.

Social key recovery is an underutilized solution as well.

link
madeofpalk 525 days ago
How do you do account recovery when you lose a password or MFA token?

Of course, any website's auth system is as weak (or strong) as their recovery process. Different sites will implement this differently.

link
lolinder 525 days ago
Typically by email, which OP says "don't do".
link