New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Magic link sign-in flow (password-free logins) [Feature Request] #4724

Closed
KelseyDH opened this Issue Dec 14, 2017 · 10 comments

Comments

Projects
None yet
6 participants
@KelseyDH
Copy link

KelseyDH commented Dec 14, 2017

Magic Links are becoming an increasingly popular approach to logging in, thanks in part to Slack.

In a Magic Link login flow, a user is emailed (or texted!) a link to automatically log into their account by email, removing the need to remember a complex password. From a UX standpoint, the experience excellent. Adding support for Magic Links through Devise would give Ruby on Rails in general a powerful leg up over other frameworks and authentication libraries.

A secure solution / proposal for how it could be added:

Since Devise already has comprehensive support for unlocking an account via an unlock_token or a password_reset_token, an eleventh module -- a standalone Magic Link module -- with controller + views similar to the Recoverable and Lockable modules could just be added without complecting devise's existing modules or codebase too much.

Thoughts?!

@KelseyDH

This comment has been minimized.

Copy link
Author

KelseyDH commented Dec 14, 2017

Screenshot of Slack's magic-login flow:

screen shot 2017-12-14 at 3 18 12 pm
screen shot 2017-12-14 at 3 18 20 pm
screen shot 2017-12-14 at 3 18 30 pm

@KelseyDH KelseyDH changed the title Feature Request: Support for Magic Links? Future support for Magic Links? Dec 14, 2017

@cross-p6

This comment has been minimized.

Copy link

cross-p6 commented Dec 15, 2017

While the 'magic link' mechanism is great from a UX point of view, I have yet to see an implementation that is not trading security for ease of use. With that said, I'm hesitant to see this implemented in the devise core, since devise takes security very seriously and is expected to do so.
The magic link is actually very similar to the 'insecure sign in' after confirmation that at one time existed in devise and was removed, for good reason.
If implementations wish to override devise's mechanics to allow this behavior, so be it -- to have this be something in core that comes with the connotation of being secure is my main disagreement.

@KelseyDH

This comment has been minimized.

Copy link
Author

KelseyDH commented Dec 19, 2017

@cross-p6 What is it about a magic sign-in link/token that makes it insecure compared to a password reset link?

@cross-p6

This comment has been minimized.

Copy link

cross-p6 commented Dec 19, 2017

At one point, pre 3.1 iirc, confirmation tokens (and password resets too?) allowed the user to login. This was seen as a security and risk since it would mean that simply having a confirmation token would allow a user to circumvent the auth process. For a full write up, see http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/

@KelseyDH

This comment has been minimized.

Copy link
Author

KelseyDH commented Dec 21, 2017

@cross-p6 Thank you for sharing this. However, I don't believe what you posted invalidates this approach for handling magic links.

From the devise write up you linked to:

Automatically signing the user in could also be harmful in the e-mail reconfirmation workflow.

The write-up then explains how confirmation tokens could become a security issue (my emphasis added):

Imagine that a user decides to change his e-mail address and, while doing so, he makes a typo on the new e-mail address. An e-mail will be sent to another address which,* with the token in hands, would be able to sign in into that account.

If the user corrects the e-mail straight away, no harm will be done. But if not, someone else could sign into that account and the user would not know that it happened.

For this reason, Devise 3.1 no longer signs the user automatically in after confirmation. You can temporarily bring the old behavior back after upgrading by setting the following in your config/initializers/devise.rb

From this write up... we can see the security concerns are not that automatic logins via email are inherently dangerous... but rather, that automatic login links via email are dangerous if sent while in the context of a user changing their email address. The danger being that the user could mistakenly give someone else access to their account in a confirm-your-email confirmation email if they made a typo while in the process of changing their account's email address.

For confirmation links sent right after changing an email address, this is a valid security concern, and no doubt one that Devise was right to patch up. But it's not a security concern relevant for a magic login link, which are sent when the connection between a user and their email address is unambiguous (especially if a user has confirmed their email address).

In such cases, magic links would be no more dangerous than Devise's default out-of-the-box configuration for password resets, where it's assumed that anyone who can prove ownership of an email address, and ownership of a token recently-generated for that email, is someone we can trust.

@KelseyDH KelseyDH changed the title Future support for Magic Links? Magic Link / "Email me a link" sign in flow (password-free logins) [Feature Request] Dec 21, 2017

@KelseyDH KelseyDH changed the title Magic Link / "Email me a link" sign in flow (password-free logins) [Feature Request] Magic link sign-in flow (password-free logins) [Feature Request] Dec 21, 2017

@rafaelfranca

This comment has been minimized.

Copy link
Collaborator

rafaelfranca commented Dec 22, 2017

Thank you for the feature request but we don't plan to add any new feature to devise in the feasible future. I recommend you to try to implement this feature as a devise plugin. If it gets popular we can think in integrating in devise.

@NielsKSchjoedt

This comment has been minimized.

Copy link

NielsKSchjoedt commented May 1, 2018

+1

@dvanderbeek

This comment has been minimized.

Copy link

dvanderbeek commented May 3, 2018

I took a stab at a gem for this feature. Feedback or PR's would be greatly appreciated! https://github.com/dvanderbeek/magic-link

@KelseyDH

This comment has been minimized.

Copy link
Author

KelseyDH commented May 4, 2018

@dvanderbeek Very cool! I just posted about this on Reddit in hope to get some additional attention on it. When the gem's documentation is fleshed out a bit this would definitely be worth posting to Hacker News also.

@sounishnath003

This comment has been minimized.

Copy link

sounishnath003 commented Dec 25, 2018

How can i mplemented >>>?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment