dkub, 8 months ago

@est I realized I never came back to answer this properly lmao.

As you said elsewhere, people are doing it anyway via password reset methods and this just kinda…admits that.

My personal vibe is I don’t like it without additional step up authentication. Personally, if I were greenfielding an experience I would go all in on passkeys as your “magic login”. You get hardware keys for free-ish if you do. Which security conscious users will like.

steve, 8 months ago

@est if you have a “reset password” link it’s about equivalent. So … not great for the very serious website where I’d expect to have real 2FA. (As a user, meh).

zero, 8 months ago

@est

E-mail is fast becoming the single point of failure for everything.

IF you take security of your e-mail seriously (2 factor auth, notification of trusted person on logins, etc.) THEN sure, use it on a V.S.W.

But if I were building a V.S.W., I wouldn't trust my users to secure their e-mail, so I wouldn't build it with passwordless auth via email.

[Disclaimer: I ran a security research project at G. for years to create better auth. methods. I might be a little opinionated!]

est, 8 months ago

@zero a large set of users just use password reset emails to log in anyways (anywhere between one in five, to half)

dkub, 8 months ago

@est @zero Once we implemented self-service password reset via email or sms otp it basically became de facto how to login by about 25% of our users.

(Please don’t ask how we did it before. Thanks.)

est, 8 months ago

@dkub @zero this is a very typical pattern

zero, 8 months ago

@est yes, I know - hence why e-mail is such a security target now.

But this just tells us that password auth fails users at scale. We've known this for decades, but done nothing about it.

We either needed ubiquitous support for better password management - or a system w/o passwords. I developed one of the later, but because it also kept identity in the hands of the users, big tech didn't want it (despite funding the development!)