“Magic email” login is the most stupid method to me. Yeah, just make it impossible to log in with my password manager. The average person probably has the weakest password for their email anyway so if a hacker has access to their account you just made it 100% easier for them to log in.
Oh yea. 100%. You can’t have your vibe coded insecure supabase user database stolen with plaintext creds if you don’t store user creds in the first place.
It’s one of those dark patterns that prevents account sharing. So if you use a magic email login, nobody can share their account with their family & friends and everybody has to pay. Profit!
I mean if your email is compromised, most of your accounts can have their passwords reset, no? So it’s basically the same as resetting your password every time you log in. Dumb, I agree, but surely not worse from a security standpoint, right?
They need to offer a way for use with a password manager, maybe a slightly hidden option or detecting a really long password to stop all the extra bits.
I forgot what the service was but it will have my user and pass, prompt the email verify, and then it will ask for the token generated in an Auth app.
At a certain point the proper user probably can’t get in
To be fair basically all services allow resetting passwords via email so even without the magic email link they’d be fucked anyways if their email got hacked.
“Magic email” login is the most stupid method to me. Yeah, just make it impossible to log in with my password manager. The average person probably has the weakest password for their email anyway so if a hacker has access to their account you just made it 100% easier for them to log in.
It’s to outsource the security risk/liability to a third-party
Even though I can’t stand “log in with…”-style logins I’d still take that over the stupid link.
Oh yea. 100%. You can’t have your vibe coded insecure supabase user database stolen with plaintext creds if you don’t store user creds in the first place.
Well that’s definitely the lesser of two evils
It’s one of those dark patterns that prevents account sharing. So if you use a magic email login, nobody can share their account with their family & friends and everybody has to pay. Profit!
You can just automate forwarding those login emails, no?
laughs in Sieve filter
I mean if your email is compromised, most of your accounts can have their passwords reset, no? So it’s basically the same as resetting your password every time you log in. Dumb, I agree, but surely not worse from a security standpoint, right?
Boomers do that
Fully agree, it’s almost security theater.
They need to offer a way for use with a password manager, maybe a slightly hidden option or detecting a really long password to stop all the extra bits.
I forgot what the service was but it will have my user and pass, prompt the email verify, and then it will ask for the token generated in an Auth app.
At a certain point the proper user probably can’t get in
Are you talking about TOTP?
Yes, for the last Auth they had me use TOTP.
Thanks, still having my morning drink and forgot the name, When I replied.
To be fair basically all services allow resetting passwords via email so even without the magic email link they’d be fucked anyways if their email got hacked.