Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ameliaquining 9 days ago

So there are two complaints about this authn scheme that I'm seeing in this thread:

1. It's pretty phishable. I think this is mostly solved, or at least greatly mitigated, by using a Slack-style magic sign-in link instead of a code that you have the user manually enter into the trusted UI. A phisher would have to get the user to copy-paste the URL from the email into their UI, instead of clicking the link or copy-pasting it into the address bar. That's an unusual enough action that most users probably won't default to doing it (and you could improve this by not showing the URL in HTML email, instead having users click an image, but that might cause usability problems). It's not quite fully unphishable, but it seems about as close as you can get without completely hiding the authentication secret from the user, which is what passkeys, Yubikeys, etc., do. I'd love to see the future where passkeys are the only way to log into most websites, but I think websites are reluctant to go there as long as the ecosystem is relatively immature.

2. It's not true multi-factor authn because an attacker only needs to compromise one thing (your inbox) to hijack your account. I have two objections to this argument:

a. This is already the case as long as you have an email-based password reset flow, which most consumer-facing websites are unwilling to go without. (Password reset emails are a bit less vulnerable to phishing because a user who didn't request one is more likely to be suspicious when one shows up in their inbox, but see point 1.)

b. True multi-factor authn for ordinary consumer websites never really worked, and especially doesn't work in the age of password managers. As long as those exist, anyone who possesses and is logged into the user's phone or laptop (the usual prerequisites for a possession-based second factor) can also get their password. Most websites should not be in the business of trying to use knowledge-based authentication on their users, because they can't know whether the secret really came from the user's memory or was instead stored somewhere, the latter case is far more common in practice, and only in the former case is it truly knowledge-based. Websites should instead authenticate only the device, and delegate to the device's own authentication system (which includes physical possession and likely also a lock secret and/or biometric) the task of authenticating the user in a secure multi-factor way.

ajanuary 9 days ago | parent | next [-]

Two problems I’ve encountered with magic links:

* Mobile email clients that open links in an embedded browser. This confuses some people. From their perspective they never stay logged in, because every time they open their regular browser they don’t have a session (because it was created in the embedded browser) and have to request a login link again.

* Some people don’t have their email on the device they want to log in on.

Sending codes solves both of these problems (but then has the issues described in the article, and both share all the problems with sending emails)

sweetjuly 9 days ago | parent [-]

Magic links can be used to authorize the session rather than the device. That is, starting the sign in process on your laptop and clicking the link on your phone would authorize your laptop's sign in request rather than your phone's browser. It requires a bit more effort but it's not especially difficult to do.

johtso 9 days ago | parent | next [-]

Wouldn't that be incredibly insecure? Attacker would just need to initiate a login, and if the user happens to click the link they've just given the attacker access to their account..

The reason why magic links don't usually work across devices/browsers is to be sure that _whoever clicks the link_ is given access, and not necessarily whoever initiated the login process (who could be a bad actor)

dspillett 9 days ago | parent [-]

> Wouldn't that be incredibly insecure?

If done naively with a simple magic link, yes.

> and if the user happens to click the link they've just given the attacker access to their account

Worse: if the user's UA “clicks the link” by making the GET request to generate a preview. The user might not even have opened the message for this to happen.

> Wouldn't that be incredibly insecure?

It can be mitigated somewhat by making the magic link go to a page that invites the user to click something that sends a post request. In theory the preview loophole might come into play here if the UA tries to be really clever, but I doubt this will happen.

Another option is to give the user the option to transfer the session to the originating UA, or stay where they are, if you detect that a different UA is used to open the magic link, but you'd have to be carful wording this so as to not confuse many users.

Hackbraten 9 days ago | parent [-]

> Worse: if the user's UA “clicks the link” by making the GET request to generate a preview.

You mean something like a popover preview that appears when the user hovers over a link?

Isn’t there a way to configure the `a` element so the UA knows that it shouldn’t do that?

dspillett 9 days ago | parent [-]

> You mean something like a popover preview

That, or a background process that visits links to check for malware before the user even sees the message.

> Isn’t there a way to configure the `a` element so the UA knows that it shouldn’t do that?

If sending just HTML you could include rel="nofollow" in the a tag to discourage such things, bit there is no way of enforcing that and no way of including it at all if you are sending plain text messages. This has been a problem for single-use links of various types also. So yes, but not reliably so effectively no.

xx_ns 9 days ago | parent | prev | next [-]

And we get back to the original point of the article (sort of). Opening a magic link should authenticate the user who opened the magic link, not the attacker who made the application send the magic link.

KayEss 9 days ago | parent | prev [-]

This is what makes securing this stuff so hard when you don't have proper review. What seems like a good idea from one perspective opens up another gaping hole somewhere else.

Off the cuff suggestions for improving UX in secure flows just make things worse.

geocar 9 days ago | parent | prev | next [-]

> think this is mostly solved, or at least greatly mitigated, by using a Slack-style magic sign-in link instead of a code that you have the user manually enter into the trusted UI.

Magic links are better than codes, but they don't work well for cross-device sign-in. What Nintendo does is pretty great: If I buy something on my switch, it shows me a QR code I take a picture of with my phone and complete the purchase there.

I agree it is "mostly solved" in that there are good examples out there, but this is a long way from the solution being "best practices" that users can expect the website/company to take security seriously.

> a. This is already the case as long as you have an email-based password reset flow

I hard-disagree:

If I get an email saying "Hi you are resetting your password, follow these directions to continue" and I didn't try to reset my password I will ignore that email.

If I have to type in random numbers from my email every few days, I'm probably going to do that on autopilot.

These things are not the same.

> anyone who possesses and is logged into the user's phone or laptop (the usual prerequisites for a possession-based second factor) can also get their password.

I do not know what kind of mickey-mouse devices you are using, but this is just not true on any device in my house.

Accessing the saved-password list on my computer or phone requires an authentication step, even if I am logged-in.

I also require second-authentication for mail and a most other things (like banking, facebook, chats, etc) since I do like to let my friends just "use my phone" to change something on spotify or look up an address in maps.

> Most websites should not be in the business of trying to use knowledge-based authentication on their users, because they can't know whether the secret really came from the user's memory or was instead stored somewhere

They can't know that anyway, and pretending they do puts people at risk of sophisticated attackers (who can recover the passkey) and unsophisticated incompetence on behalf of the website (who just send reset links without checking).

> Websites should instead authenticate only the device, and delegate to the device's own authentication system

I disagree: Websites have no hope of authenticating the device and are foolishly naive to try.

NooneAtAll3 9 days ago | parent | prev | next [-]

> Websites should instead authenticate only the device

except I'm a user, not a device

>>I<< want to be authenticated, not my specific device that I'm going to switch at some point

funciton 9 days ago | parent [-]

You want to be authenticated specifically on the device that you're using to access the website. Not some arbitrary other device.

If you enter your username, password, and totp, and the website tells you you've logged in from some device halfway across the planet you've never heard of, you probably have a problem.

pas 9 days ago | parent | prev [-]

offering TOTP MFA auth is important for people who actually keep at least some minimal boundary between their passwords and TOTP seeds.