undefined | Better HN

0 pointslolinder1y ago0 comments

Thank you for the link! I saw your other comment and actually edited mine to point to that, because it's definitely the answer to my question!

> though I don't know if making your email an even stronger attack vector is necessarily one of them

I'm unconvinced that magic links do make your email an even stronger attack vector. Essentially every service that would be inclined to use magic links would already have a way to reset your password entirely once the email is compromised. All magic links do is make this the primary way to interact with the auth flow.

The bad guys already know that your email is the best target. Magic links just make that very explicit.

0 comments

filmgirlcw1y ago

>The bad guys already know that your email is the best target. Magic links just make that very explicit.

That's a good point. I guess my rationale is that it being explicit makes me feel less comfortable for my parents/non tech-savvy friends, who already may not follow best-practices for email hygiene (and may not use email providers that enforce stricter hygiene like 2FA or other methods of protection) and thus, systems like this, make their email even more explicitly the ultimate place to go for access to stuff.

notatoad1y ago

>feel less comfortable for my parents/non tech-savvy friends, who already may not follow best-practices for email hygiene

making people feel less comfortable is probably a good thing.

i've managed to convince my dad to start taking his email security more seriously by reminding him a few times that if somebody gets access to his email, they can reset his password on every site where he uses that email address. it's good to remind people of why email security matters, and that it's not just about the personal messages from friends.

adastra221y ago

> Essentially every service that would be inclined to use magic links would already have a way to reset your password entirely once the email is compromised

Well, don't do that.

lolinderOP1y ago

Do you have an alternative proposal for letting users back into their accounts when they inevitably lose their passkey? Because if you don't, this isn't a serious answer.

adastra221y ago

Password, not passkey. Recovery codes should be setup on account creation, but recovery of the password manager itself is what is required, and that usually has its own recovery mechanism.

Social key recovery is an underutilized solution as well.

madeofpalk1y ago

How do you do account recovery when you lose a password or MFA token?

Of course, any website's auth system is as weak (or strong) as their recovery process. Different sites will implement this differently.

1 more reply

j / k navigate · click thread line to collapse

0 pointslolinder1y ago0 comments

Thank you for the link! I saw your other comment and actually edited mine to point to that, because it's definitely the answer to my question!

> though I don't know if making your email an even stronger attack vector is necessarily one of them

The bad guys already know that your email is the best target. Magic links just make that very explicit.

0 comments

filmgirlcw1y ago

>The bad guys already know that your email is the best target. Magic links just make that very explicit.

notatoad1y ago

>feel less comfortable for my parents/non tech-savvy friends, who already may not follow best-practices for email hygiene

making people feel less comfortable is probably a good thing.

adastra221y ago

> Essentially every service that would be inclined to use magic links would already have a way to reset your password entirely once the email is compromised

Well, don't do that.

lolinderOP1y ago

Do you have an alternative proposal for letting users back into their accounts when they inevitably lose their passkey? Because if you don't, this isn't a serious answer.

adastra221y ago

Password, not passkey. Recovery codes should be setup on account creation, but recovery of the password manager itself is what is required, and that usually has its own recovery mechanism.

Social key recovery is an underutilized solution as well.

madeofpalk1y ago

How do you do account recovery when you lose a password or MFA token?

Of course, any website's auth system is as weak (or strong) as their recovery process. Different sites will implement this differently.

1 more reply

j / k navigate · click thread line to collapse