Replies: 6 comments 9 replies
-
Hi @gc-ss I totally agree on the problem of managing passwords. Actually people without password managers tend to have only a few passwords, which they use nn a lot of websites. This is even a bigger problem. That's why we are advocate passwordless based on FIDO2 / CTAP2. So people don't have to remember (a potentially weak) password, but can rely on a cryptographically secure mechanism. Personally, I'd first encourage users to go passwordless using FIDO2. Nearly everyone or at least the majority of people already have a FIDO2 enabled device (any Apple device having TouchID / FaceID, Android devices, Windows Hello, ...). And there are USB keys as well like SoloKeys, Yubikey, ... But magic links could serve as a second option for a passwordless flow. We would just have to discuss the use cases. It might be a case where people are not allowed to use their (personal) phone at work and don't have a FIDO key. |
Beta Was this translation helpful? Give feedback.
-
I worry about magic links due to my experience with Discord's magic links. For those unfamiliar, Discord has a system where if you're logged in on your phone and you wish to log in on desktop, you can scan a QR code which is simply a magic link . Their implementation bypasses MFA and is generally very insecure. The worst part about it is that it's very easy to spoof. Recently, there has been a scam involving these QR codes pretending to be some sort of captcha: Scanning this QR code sends your logon token to the malicious user, allowing them to turn your account into a bot account. For those who are technical, this scheme fortunately has some very similar attributes to phishing scams, so they should be relatively easy to spot. However, there are a lot of people who simply follow directions without thinking, and like a phishing scam, this is their primary audience.
I would suggest that this a sufficient solution. |
Beta Was this translation helpful? Give feedback.
-
Is there a way we can implement this passwordless login using a pre-authenticated email link. Without prompting the user to register the device using a security key or Android phone |
Beta Was this translation helpful? Give feedback.
-
Based on feedback from community members, I think soft-onboarding users with Magic Links could be a valuable use case. Example for soft-onboarding: |
Beta Was this translation helpful? Give feedback.
-
I'd say magic links should be alternative to password recovery. Ie do not bypass 2fa. |
Beta Was this translation helpful? Give feedback.
-
I'm working on a tool for people for whom technology is not really easy (elderly people for exemple) and the FIDO2 solution is way too complex for them. In my case I prefer magic links, event if I know the down sides from a security point of view. Anyway they do not have access to sensitive information, I prefer for them the smoothest experience rather than rock-solid security. Some of our users are resetting their password for every login attempt... |
Beta Was this translation helpful? Give feedback.
-
People have too many passwords and a lot of people don't use a password manager.
Besides supporting Federated identity management, it would be very helpful to have support for magic links.
Example: https://www.youtube.com/watch?v=hMqxo68ZJlw
Beta Was this translation helpful? Give feedback.
All reactions