-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passwordless login (with magic link / code in email) #5
Comments
No, not now. I thought about it in the early days of Shield, but decided to postpone consideration. There's not a lot of open research on passwordless at the moment. The implementations I've read about seems to rely on sending tokens via email. Essentially, it's a single factor authentication using emailed tokens instead of passwords. Email security is unreliable, so using it once in a while (eg: in password resets) may be acceptable. Relying on it regularly (eg: for logins) is I may have skimmed through a paper (probably by Microsoft), that talks passwordless using public key crypto. This has worked for SSH for a long time; I guess the web is a different ball game. Passwords must go at some point. But I think we need more extensive and conclusive research on alternatives. |
Thanks for your detailed answer.
Yes, I'm putting aside non-email based solutions (biometrics / hardware crypto / sms / ...).
The gist of my choice in going with email magic links is in fact considering that password resets are magic links (some lazy/smart? people were using these as such before the advent of password managers). With password resets, the password or the email account can be compromised to have illegitimate access to your app. Without passwords, only the email account has to be compromised. I'm just putting the burden of
I'll let the security experts chime in :-) |
Passwordless login is a divisive authentification approach (mostly UX wise) but it has its benefits (https://medium.com/findworkco/password-less-login-df0354c3f3ee and https://medium.com/findworkco/password-less-login-continued-9f61bfda0175).
I'm implementing it by expanding/abusing the email confirmation logic from https://github.com/stephendolan/lucky_jumpstart but it'd be great if there was a cleaner upstream implementation.
Is this something you would consider adding ?
Also, this login method is often complemented with social logins. I can open a separate issue if that enters the scope of Shield.
The text was updated successfully, but these errors were encountered: