| ▲ | graemep 3 days ago |
| Its a lot lower risk, its still not great IMO. Email is really not designed for it, and it trains people to use links to login. |
|
| ▲ | kngspook 3 days ago | parent | next [-] |
| Yeah, I hate these. It's also a very not-ergonomic was to sign in. I wish those companies would redirect those efforts to passkeys. |
| |
| ▲ | hirako2000 3 days ago | parent [-] | | It's very ergonomic for those who discovered the internet via an iPhone, who think Gmail is email. They can't remember their passwords, and wouldn't know where how to recover most cryptographic factors. They have an email account they tend to have access to and use magic links to login , they are very happy with that. Not promoting the pattern, I also find it worrying the majority of internet users have no basic understanding of authentication and the risk for their digital identity. |
|
|
| ▲ | danenania 2 days ago | parent | prev [-] |
| Username/password typically has the same issue via reset password links. |
| |
| ▲ | graemep 2 days ago | parent [-] | | I agree. However you use them less often, so its far harder for someone to time it right. If you use username instead of email address attackers have to guess that too. One quite serious problem I see quite often is using email plus password for login, and notifying on failed login that the email is not in the system, letting attackers validate which emails are logins. | | |
| ▲ | danenania 2 days ago | parent [-] | | It happens less often, but it's also more believable that it would be sent without a user action—e.g. "We had a security incident. Please click here to change your password." And this is exactly the kind of phishing attack that is most effective, as this particular incident shows. So I'd say it's actually a worse phishing vector than magic links. |
|
|
