undefined | Better HN

0 pointsmichaelt1y ago0 comments

> It’s not a higher level of security than password-based authentication. Why do you state that?

Personally I'm no fan of magic links.

But the people who do like magic links would say the typical 'forgot password' flow is to send a password reset magic link by e-mail. That means you've got all the security weaknesses of a magic link, and the added weaknesses of password reuse and weak passwords.

Of course you can certainly design a system where this isn't the case. Banks that send your password reset code by physical mail. Shopping websites where resetting your password deletes your stored credit card details. Things like that.

0 comments

matt-p1y ago

It's not about 'liking' magic links;

That means you've got all the security weaknesses of a magic link, and the added weaknesses of password reuse and weak passwords.

Is objectively true. I don't really 'like' magic links but I think they're a very easy to implement and simple to use for infrequently accessed systems. Arguably easier than user/pass and certainly more secure.

adastra221y ago

Even with those assumptions (which I question), it is only a higher level of security if you assume that your users are reusing passwords, or using low entropy passwords. Neither would apply if they are using a password manager, which a growing majority of web users are.

j / k navigate · click thread line to collapse