Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
southp 9 days ago

I get the point. However, from my own experience this type of one-time passcode is unfortunately the 2nd well-understood authentication method for non-tech people surrounding me. The 1st is the password, of course.

I don't know the general situation, but, at least in our small town, people would go to the phone service shop just for account setup and recovery, since it's just too complicated. Password managers and passkeys don't make things simpler for them either –– I've never successfully conveyed the idea of a password manager to a non-tech person; the passkey is somehow even harder to explain. From my perspective it's both the mental model and the extra, convoluted UX that's very hard to grasp for them.

Until one day we come up with something intuitive for general audience, passwords and the "worse" one-time code will likely continue to be prominent for their simplicity.

myflash13 9 days ago | parent [-]

just stick with passwords then

jmull 9 days ago | parent | next [-]

I guess the problem is such people will mostly use passwords that are as weak as they can get away with.

danenania 9 days ago | parent | prev | next [-]

If you have password reset via email, as almost every service using passwords does, there’s no security gain over magic links/codes.

It’s actually worse, since now the email account or the password get you in, vs. just the email account.

MetaWhirledPeas 9 days ago | parent [-]

> If you have password reset via email, as almost every service using passwords does, there’s no security gain over magic links/codes.

I disagree. The problem with the magic code is that you've trained the user to automatically enter the code without much scrutiny. If one day you're attempting to access malicious.com and you get a google.com code in your email, well you've been trained to take the code and plug it in and if you're not a smarty then you're likely to do so.

In contrast, email password recovery is an exception to the normal user flow.

danenania 8 days ago | parent [-]

Password reset also has phishing potential. I do see your point, but if a user doesn’t check domains, I think they can be easily phished through either route.

stronglikedan 9 days ago | parent | prev [-]

Good luck finding a suite of modern, convenient services that will allow you to do that nowadays. I wish we could opt-in with some sort of I-know-what-I'm-doing-with-passwords-and-take-full-responsibility option.

Wingman4l7 9 days ago | parent [-]

You vastly underestimate the number of people who should not pick this option but would (because doing otherwise would be admitting their incompetence / ignorance) -- thus handily continuing the problem.