Remix.run Logo
danenania 9 days ago

If you have password reset via email, as almost every service using passwords does, there’s no security gain over magic links/codes.

It’s actually worse, since now the email account or the password get you in, vs. just the email account.

MetaWhirledPeas 9 days ago | parent [-]

> If you have password reset via email, as almost every service using passwords does, there’s no security gain over magic links/codes.

I disagree. The problem with the magic code is that you've trained the user to automatically enter the code without much scrutiny. If one day you're attempting to access malicious.com and you get a google.com code in your email, well you've been trained to take the code and plug it in and if you're not a smarty then you're likely to do so.

In contrast, email password recovery is an exception to the normal user flow.

danenania 8 days ago | parent [-]

Password reset also has phishing potential. I do see your point, but if a user doesn’t check domains, I think they can be easily phished through either route.