Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Ferret7446 9 days ago

> It's about email as single factor auth, which has become very trendy of late

I must be in the wrong bubble, I have not encountered any site that does this since the 2000s. It was a minor trend around then IIRC.

eddythompson80 9 days ago | parent | next [-]

Anthropic is the main one. Its pushing a lot of others to do the same. I literally was arguing against that 2 weeks ago and the person who was pushing it said "Claude does that. Its really slick, no password to remember".

Patreon can do that too, depending on how you sign up.

moi2388 9 days ago | parent | next [-]

It’s not slick at all. Passwords and MFA autofill, their image codes don’t, so I have to close the browser, go to email, copy code, delete email, go to browser, paste code just to login.

The entire email login flow is completely retarded. It’s not even secure.

const_cast 9 days ago | parent | prev | next [-]

A lot of services just do this de-facto, where you only need an email code to reset the password. Which is equivalent to single auth with email.

Email link to reset is better, email link + another auth (usually sms) is even better.

eddythompson80 9 days ago | parent [-]

Only in an abstract threat model sense. In real world phishing its pretty different.

Its super odd if you land on facebook.com-profilesadfg.info/login thinking its just Facebook and try to login but get a "password reset" email. Most people would be confused as they don't want to reset their password.

Having it for every login means that just missing the website URL, everything else is 100% legit.

vachina 9 days ago | parent | prev [-]

It’s not just slick, it is “secure” on the get go by thwarting any password stuffing attempts (if your email is not pwned already)

baobun 9 days ago | parent | prev | next [-]

I believe Slack popularized this back then and still do it.

gopkarthik 9 days ago | parent | prev | next [-]

In India, almost all websites & apps, send a OTP to either mobile or email & ask you to enter that to login. Most of them have even disabled password based login flows. Really grinds my gears.

wvenable 9 days ago | parent | prev | next [-]

Spotify just started doing this. I even have a password saved in my password manager but instead of asking me they just sent an email with a code.

daemin 9 days ago | parent | prev | next [-]

Booking does it and it frustrates me to no end.

ErneX 9 days ago | parent | prev [-]

Trip.com does this.