Hacker News new | ask | show | jobs
by marketneutral 106 days ago
On iOS and macOS 2FAs are auto-populated for you, and of course also your saved login and password. You don't need to leave the page and open other applications.

This is by far the most common sign-in UX. So is there some security benefit in the email link sign-in?
2 comments
esseph 106 days ago
> auto-populated

Auto population of login credentials including 2FA is currently an attack vector.

"A critical security flaw has been uncovered in the autofill functionality of nearly every major password manager. This vulnerability allows threat actors to stealthily harvest user credentials and sensitive financial data from deceptive web forms without user interaction, turning a core convenience feature into a potent weapon for cybercrime."

https://undercodetesting.com/the-autofill-trap-how-your-pass...

link
skeledrew 106 days ago
The only way an account accessed by a magic link can be compromised is by an already compromised associated email. No password in clipboard, which is how some of us still do it, etc. The magic link makes everyone secure regardless of how they store their secrets.

And there's also no password stash if the server were to be hacked, which means no sending out "please update your password" emails and the like.

link