I find it problematic if I do not have access to my email in the moment, or there is a glitch in the flow and I need to wait for the mail for some minutes, but that can also happen during 2FA, if email is used for that.
Also, magic links need to be designed so that I can login on my PC, and click the link on my phone, and be logged in on the PC.
Though I've really enjoyed using QR codes to login, that has been a really smooth modern experience.
"Also, magic links need to be designed so that I can login on my PC, and click the link on my phone, and be logged in on the PC."
I feel that way too - I hate it when I'm trying to log in on desktop and the email shows up as a push notification on my phone.
The problem is what happens if someone enters someone else's email address and that person unwittingly clicks on the "approve" link in the email they receive. That only has to happen once for an account to be compromised.
So now you need "enter the 4 digit code we emailed you" or similar, which feels a whole lot less magical than clicking on a magic link.
Presumably there are well documented patterns for addressing this now? I've not spent enough time implementing magic links to have figured that out.
> someone enters someone else's email address and that person unwittingly clicks on the "approve" link
Eh? In a sane magic link system, clicking the magic link grants the clicker access to the account. Right then and there, in the browser that opened the link.
That's a bit weird for me: I sat down at my laptop and attempted to sign into a site on my laptop, and at the end of the sign-in flow I'm not signed in on my laptop, I'm signed in on my phone.
I would argue that a magic link system has to only allow the click-through to grant access on the machine that initiated the login flow.
If I enter my email in SomeSite, they send a magic link to my email address, and then Mallory intercepts that email and gains access to my SomeSite account just by opening the link (i.e. the link acts as a bearer token), that's completely broken.
If someone has access to your email, they can recover passwords to everything. Email is the master key, treat it that way.
> Also, magic links need to be designed so that I can login on my PC, and click the link on my phone, and be logged in on the PC.
No.
If magic links only log you in on the device you click them on, they prevent a lot of phishing attacks.
With a setup like that, there's literally no way to impersonate your website and steal user credentials.
This comes at a cost of making logins on public computers less secure, and which of these is more important should be weighed on a service-by-service basis.
A website for making presentations should obviously choose "more phishing and easier to use on public computers", a service for managing your employees' HR records should obviously choose the opposite.
> Email + magic link
Two scenarios I had recently, where I absolutely, utterly hated this pattern:
* I did not remember the mail address for such a thing because I started (too late) to use a different mail address for every service, thanks to Apples iCloud hidden addresses. And because there was no corresponding password, there was no entry in my password manager. I since rectified that, but it’s annoying.
* I tried to login on an older Windows PC - the magic mail landed on my iPhone. And because cross-system technical standards are a thing of the past the only possibility to get the magic link to the other system was to transcribe it.
> Email + magic link is a pattern I keep seeing that's far more secure in practice.
I absolutely despise this. Every time I want to quickly log into an app and check something, just to sit in front of my synchronising mail client, wondering if the email will arrive, be caught by the spam filter, or just have random delay of a few minutes. Awful.
If the authentication session is long-lived then this is usually not too onerous; one round trip the first time you use it.
It’s a nightmare if they also insist on short lived sessions.
I hate it too. I always prefer TOTP. I never said this isn't shitty. Just that for normal users, it's more secure than passwords.
I first saw this with Anthropic. I clear my browser pretty regularly and this flow just adds so much friction. With a password manager plus totp I never really felt burdened by logging in every time I used a service. I hope this doesn't catch on.
> nothing beats the security and privacy of username + password + TOTP (or security key)
security key is at least somewhat better than TOTP because it's not (or less-)phishable
> Of course, nothing beats the security and privacy of username + password + TOTP (or security key), but you can't necessarily expect normal users to know to do that (or how).
Honestly, this just seems like a UX problem.
The ways this is currently implemented are often terrible, but not always. I'll give an example: I recently did a stint at "Green company" and they gave me a yubi key. They also used Microsoft for most things. To login with Microsoft authenticator I type in my username and password, click yes on the next page, and then click yes on my phone. But to use the yubi key was needlessly frustrating. First, Microsoft doesn't let you use it as the default method (hardware key). So then you have to click "use another form of authentication", "hardware key", "next" (why? Idk), and then finally you pin and tap the key. A bunch of needless steps there and I'm not convinced this wasn't intentional. There's other services I've used working at other places where it's clean and easy: username + password, then pin+ tap key (i.e. hardware key is default!).
I seriously think a lot of security issues come down to UX. There's an old joke about PGP
How do you decrypt a PGP encrypted email?
You reply to the sender "can't decrypt, can you send it back in clear?"
It was a joke about the terrible UX. That it was so frustrating that this outcome was considered normal. But hey, we actually have that solved now. Your Gmail emails are encrypted. You have services like Whatsapp and Signal that are E2EE. What was the magic sauce? UI & UX. They are what make the tools available to the masses, otherwise it's just for the nerds.