undefined | Better HN

0 pointsstickfigure1y ago0 comments

> someone enters someone else's email address and that person unwittingly clicks on the "approve" link

Eh? In a sane magic link system, clicking the magic link grants the clicker access to the account. Right then and there, in the browser that opened the link.

0 comments

4 comments · 2 top-level

philsnow1y ago· 2 in thread

I would argue that a magic link system has to only allow the click-through to grant access on the machine that initiated the login flow.

If I enter my email in SomeSite, they send a magic link to my email address, and then Mallory intercepts that email and gains access to my SomeSite account just by opening the link (i.e. the link acts as a bearer token), that's completely broken.

stickfigureOP1y ago

If someone has access to your email, they can recover passwords to everything. Email is the master key, treat it that way.

portaouflop1y ago

Use MFA and that is not the case.

If email is your master key to everything I would worry.

1 more reply

simonw1y ago

That's a bit weird for me: I sat down at my laptop and attempted to sign into a site on my laptop, and at the end of the sign-in flow I'm not signed in on my laptop, I'm signed in on my phone.

j / k navigate · click thread line to collapse