Magic link only is the wirst kind of login systems. However, I don’t know any big real companies that use this.
If you don’t like passwords, just use passkeys.

[–] tribut@infosec.pub 4 points 1 month ago

Booking.com (at least in Germany) only useagic links for some time now. I hate it.

load more comments (12 replies)

[–] manxu@piefed.social 3 points 1 month ago (1 children)

It feels like the factors of authentication discussion misses one important aspect: can the factor be replayed. Passwords can be replayed indefinitely, while the email links you get or the OTP token only work for a short period of time.

I remember it from the bad days when I used LastPass. Suddenly I got a notification that the place had been compromised and I had to suddenly change hundreds of passwords. 90% of them were for sites that didn't even exist any longer, but sifting through the long, long list to go change passwords was more work than I wanted to do.

Don't have to do that if I need to use a one-time token via Aegis or email! I do agree, though, that for low risk sites, username/password is totally fine.

[–] zea_64@lemmy.blahaj.zone 3 points 1 month ago

It's a neat option, but should not be forced.

[–] RedSnt@feddit.dk 2 points 1 month ago

That's the one good thing about just-eat leaving Denmark, no more having to deal with that BS.

[–] muusemuuse@sh.itjust.works 2 points 1 month ago (1 children)

Yubikey. Done.

[–] MDCCCLV@lemmy.ca 2 points 1 month ago

The pin system implementation is terrible at least for Windows, because it forces you to make a pin but not all websites do that so it's easy to make a pin for one website but not realize that if you forget the pin and misenter it 10 times it locks the key permanently and you have to reset it, but that deletes everything and so you can end up in a situation where the yubikey is on your site account login but you dont have it now and you can get locked out.

load more comments